CVE-2020-6286

high-risk

Published 2020-07-14

The insufficient input path validation of certain parameter in the web service of SAP NetWeaver AS JAVA (LM Configuration Wizard), versions - 7.30, 7.31, 7.40, 7.50, allows an unauthenticated attacker to exploit a method to download zip files to a specific directory, leading to Path Traversal.

Do I need to act?

85.7% chance of exploitation in next 30 days

EPSS score — higher than 14% of all CVEs

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 5.3/10 Medium

NETWORK / LOW complexity

Affected Products (4)

Netweaver Application Server Java

Affected Vendors

Sap

References (4)

Permissions Required https://launchpad.support.sap.com/#/notes/2934135

Vendor Advisory https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=552599675

Permissions Required https://launchpad.support.sap.com/#/notes/2934135

Vendor Advisory https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=552599675

/ 100

high-risk

Severity 21/34 · High

Exploitability 20/34 · Moderate

Exposure 10/34 · Low