Description

SAP NetWeaver AS JAVA (LM Configuration Wizard) does not perform an authentication check which allows an attacker to execute configuration tasks to perform critical actions against the SAP Java system.

Remediation

Install SAP security patches #2934135, #2939665.

References

SAP RECON PoC from chipik

SAP Security Patch Day – July 2020

Related Vulnerabilities

Piwigo Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2017-17775)

Jboss EAP Allocation of Resources Without Limits or Throttling Vulnerability (CVE-2023-5379)

PHP Other Vulnerability (CVE-2021-21707)

phpBB Improper Control of Generation of Code ('Code Injection') Vulnerability (CVE-2019-16108)

WordPress Improper Authentication Vulnerability (CVE-2022-43504)

Severity

High

Classification

CVE-2020-6287 CWE-287 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:A

Tags

Insecure Admin Access Known Vulnerabilities