Vulnerability Details : CVE-2020-6369
SAP Solution Manager and SAP Focused Run (update provided in WILY_INTRO_ENTERPRISE 9.7, 10.1, 10.5, 10.7), allows an unauthenticated attackers to bypass the authentication if the default passwords for Admin and Guest have not been changed by the administrator.This may impact the confidentiality of the service.
Products affected by CVE-2020-6369
- cpe:2.3:a:sap:solution_manager:9.7:*:*:*:*:*:*:*
- cpe:2.3:a:sap:solution_manager:10.1:*:*:*:*:*:*:*
- cpe:2.3:a:sap:solution_manager:10.5:*:*:*:*:*:*:*
- cpe:2.3:a:sap:solution_manager:10.7:*:*:*:*:*:*:*
- cpe:2.3:a:sap:focused_run:9.7:*:*:*:*:*:*:*
- cpe:2.3:a:sap:focused_run:10.1:*:*:*:*:*:*:*
- cpe:2.3:a:sap:focused_run:10.5:*:*:*:*:*:*:*
- cpe:2.3:a:sap:focused_run:10.7:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2020-6369
0.21%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 59 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2020-6369
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
4.3
|
MEDIUM | AV:N/AC:M/Au:N/C:P/I:N/A:N |
8.6
|
2.9
|
NIST | |
7.5
|
HIGH | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
3.9
|
3.6
|
SAP SE | |
5.9
|
MEDIUM | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N |
2.2
|
3.6
|
NIST |
References for CVE-2020-6369
-
https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=558632196
SAP Security Patch Day – October 2020 - Product Security Response at SAP - Community WikiVendor Advisory
-
https://launchpad.support.sap.com/#/notes/2971638
SAP ONE Support Launchpad: Log OnPermissions Required;Vendor Advisory
-
http://seclists.org/fulldisclosure/2021/Jun/31
Full Disclosure: Onapsis Security Advisory 2021-0009: Hard-coded Credentials in CA Introscope Enterprise ManagerMailing List;Third Party Advisory
-
http://packetstormsecurity.com/files/163159/SAP-Wily-Introscope-Enterprise-Default-Hard-Coded-Credentials.html
SAP Wily Introscope Enterprise Default Hard-Coded Credentials ≈ Packet StormThird Party Advisory
Jump to