Vulnerability Details : CVE-2020-6363
SAP Commerce Cloud, versions - 1808, 1811, 1905, 2005, exposes several web applications that maintain sessions with a user. These sessions are established after the user has authenticated with username/passphrase credentials. The user can change their own passphrase, but this does not invalidate active sessions that the user may have with SAP Commerce Cloud web applications, which gives an attacker the opportunity to reuse old session credentials, resulting in Insufficient Session Expiration.
Exploit prediction scoring system (EPSS) score for CVE-2020-6363
Probability of exploitation activity in the next 30 days: 0.05%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 21 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2020-6363
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
|---|---|---|---|---|---|
|
4.9
|
MEDIUM | AV:N/AC:M/Au:S/C:P/I:P/A:N |
6.8
|
4.9
|
NIST |
|
4.6
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N |
2.1
|
2.5
|
NIST |
CWE ids for CVE-2020-6363
-
According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."Assigned by: nvd@nist.gov (Primary)
References for CVE-2020-6363
-
https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=558632196
SAP Security Patch Day – October 2020 - Product Security Response at SAP - Community WikiVendor Advisory
-
https://launchpad.support.sap.com/#/notes/2965287
SAP ONE Support Launchpad: Log OnPermissions Required
Products affected by CVE-2020-6363
- cpe:2.3:a:sap:commerce_cloud:1808:*:*:*:*:*:*:*
- cpe:2.3:a:sap:commerce_cloud:1811:*:*:*:*:*:*:*
- cpe:2.3:a:sap:commerce_cloud:1905:*:*:*:*:*:*:*
- cpe:2.3:a:sap:commerce_cloud:2005:*:*:*:*:*:*:*