CVE-2020-6242

moderate-risk
Published 2020-05-12

SAP Business Objects Business Intelligence Platform (Live Data Connect), versions 1.0, 2.0, 2.1, 2.2, 2.3, allows an attacker to logon on the Central Management Console without password in case of the BIPRWS application server was not protected with some specific certificate, leading to Missing Authentication Check.

Do I need to act?

-
0.23% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
9
CVSS 9.8/10 Critical
NETWORK / LOW complexity

Affected Products (5)

Affected Vendors

Sap

References (6)

Permissions Required https://launchpad.support.sap.com/#/notes/2885244
Broken Link https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=545396222
Broken Link https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=545396222
Permissions Required https://launchpad.support.sap.com/#/notes/2885244
Broken Link https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=545396222
Broken Link https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=545396222
45
/ 100
moderate-risk
Severity 32/34 · Critical
Exploitability 1/34 · Minimal
Exposure 12/34 · Low