Vulnerability Details : CVE-2020-26832
SAP AS ABAP (SAP Landscape Transformation), versions - 2011_1_620, 2011_1_640, 2011_1_700, 2011_1_710, 2011_1_730, 2011_1_731, 2011_1_752, 2020 and SAP S4 HANA (SAP Landscape Transformation), versions - 101, 102, 103, 104, 105, allows a high privileged user to execute a RFC function module to which access should be restricted, however due to missing authorization an attacker can get access to some sensitive internal information of vulnerable SAP system or to make vulnerable SAP systems completely unavailable.
Products affected by CVE-2020-26832
- cpe:2.3:a:sap:s\/4_hana:101:*:*:*:*:*:*:*
- cpe:2.3:a:sap:s\/4_hana:102:*:*:*:*:*:*:*
- cpe:2.3:a:sap:s\/4_hana:103:*:*:*:*:*:*:*
- cpe:2.3:a:sap:s\/4_hana:104:*:*:*:*:*:*:*
- cpe:2.3:a:sap:s\/4_hana:105:*:*:*:*:*:*:*
- cpe:2.3:a:sap:netweaver_application_server_abap:2011_1_640:*:*:*:*:*:*:*
- cpe:2.3:a:sap:netweaver_application_server_abap:2011_1_700:*:*:*:*:*:*:*
- cpe:2.3:a:sap:netweaver_application_server_abap:2011_1_710:*:*:*:*:*:*:*
- cpe:2.3:a:sap:netweaver_application_server_abap:2011_1_730:*:*:*:*:*:*:*
- cpe:2.3:a:sap:netweaver_application_server_abap:2011_1_731:*:*:*:*:*:*:*
- cpe:2.3:a:sap:netweaver_application_server_abap:2011_1_752:*:*:*:*:*:*:*
- cpe:2.3:a:sap:netweaver_application_server_abap:2020:*:*:*:*:*:*:*
- cpe:2.3:a:sap:netweaver_application_server_abap:2011_1_620:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2020-26832
1.39%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 87 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2020-26832
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
7.5
|
HIGH | AV:N/AC:L/Au:S/C:P/I:N/A:C |
8.0
|
7.8
|
NIST | |
7.6
|
HIGH | CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:H |
2.3
|
4.7
|
SAP SE | |
7.6
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:H |
2.3
|
4.7
|
NIST |
CWE ids for CVE-2020-26832
-
The product does not perform an authorization check when an actor attempts to access a resource or perform an action.Assigned by: nvd@nist.gov (Primary)
References for CVE-2020-26832
-
http://seclists.org/fulldisclosure/2022/May/42
Full Disclosure: SEC Consult SA-20220518-0 :: Multiple Critical Vulnerabilities in SAP® Application Server, ABAP and ABAP® Platform (Different Software Components)Exploit;Mailing List;Third Party Advisory
-
https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=564757079
Vendor Advisory
-
http://packetstormsecurity.com/files/167229/SAP-Application-Server-ABAP-ABAP-Platform-Code-Injection-SQL-Injection-Missing-Authorization.html
SAP Application Server ABAP / ABAP Platform Code Injection / SQL Injection / Missing Authorization ≈ Packet StormExploit;Third Party Advisory;VDB Entry
-
https://launchpad.support.sap.com/#/notes/2993132
Permissions Required
Jump to