CVE-2020-6275

high-risk

Published 2020-06-10

SAP Netweaver AS ABAP, versions 700, 701, 702, 710, 711, 730, 731, 740, 750, 751, 752, 753, 754, are vulnerable for Server Side Request Forgery Attack where in an attacker can use inappropriate path names containing malicious server names in the import/export of sessions functionality and coerce the web server into authenticating with the malicious server. Furthermore, if NTLM is setup the attacker can compromise confidentiality, integrity and availability of the SAP database.

Do I need to act?

0.46% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 9.8/10 Critical

NETWORK / LOW complexity

Affected Products (13)

Netweaver Application Server Abap

Affected Vendors

Sap

References (4)

Permissions Required https://launchpad.support.sap.com/#/notes/2912939

Vendor Advisory https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=547426775

Permissions Required https://launchpad.support.sap.com/#/notes/2912939

Vendor Advisory https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=547426775

/ 100

high-risk

Severity 32/34 · Critical

Exploitability 2/34 · Minimal

Exposure 17/34 · Moderate