Vulnerability Details : CVE-2020-6214
SAP S/4HANA (Financial Products Subledger), version 100, uses an incorrect authorization object in some reports. Although the affected reports are protected with other authorization objects, exploitation of the vulnerability would allow an authenticated attacker to view, change, or delete data, thereby preventing the proper segregation of duties in the system.
Exploit prediction scoring system (EPSS) score for CVE-2020-6214
Probability of exploitation activity in the next 30 days: 0.07%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 30 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2020-6214
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
|---|---|---|---|---|---|
|
6.5
|
MEDIUM | AV:N/AC:L/Au:S/C:P/I:P/A:P |
8.0
|
6.4
|
NIST |
|
4.7
|
MEDIUM | CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L |
1.2
|
3.4
|
SAP SE |
|
4.7
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L |
1.2
|
3.4
|
NIST |
CWE ids for CVE-2020-6214
-
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.Assigned by:
- cna@sap.com (Secondary)
- nvd@nist.gov (Primary)
References for CVE-2020-6214
-
https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=544214202
SAP Security Patch Day – April 2020 - Product Security Response at SAP - Community WikiVendor Advisory
-
https://launchpad.support.sap.com/#/notes/2897612
SAP ONE Support Launchpad: Log OnPermissions Required;Vendor Advisory
Products affected by CVE-2020-6214
- cpe:2.3:a:sap:s\/4hana:100:*:*:*:*:financial_products_subledger:*:*