Vulnerability Name: CVE-2020-26818 (CCN-191534) Assigned: 2020-11-10 Published: 2020-11-10 Updated: 2022-10-05 Summary: SAP NetWeaver AS ABAP (Web Dynpro), versions - 731, 740, 750, 751, 752, 753, 754, 755, 782, allows an authenticated user to access Web Dynpro components, which reveals sensitive system information that would otherwise be restricted to highly privileged users because of missing authorization, resulting in Information Disclosure. CVSS v3 Severity: 8.8 High (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 7.7 High (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C Exploitability Metrics: Attack Vector (AV): NetworkAttack Complexity (AC): LowPrivileges Required (PR): LowUser Interaction (UI): NoneScope: Scope (S): UnchangedImpact Metrics: Confidentiality (C): HighIntegrity (I): HighAvailibility (A): High
6.5 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N 5.7 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C Exploitability Metrics: Attack Vector (AV): NetworkAttack Complexity (AC): LowPrivileges Required (PR): LowUser Interaction (UI): NoneScope: Scope (S): UnchangedImpact Metrics: Confidentiality (C): HighIntegrity (I): NoneAvailibility (A): None
CVSS v2 Severity: 6.5 Medium (CVSS v2 Vector: AV:N/AC:L/Au:S/C:P/I:P/A:P Exploitability Metrics: Access Vector (AV): NetworkAccess Complexity (AC): LowAuthentication (Au): Single_InstanceImpact Metrics: Confidentiality (C): PartialIntegrity (I): PartialAvailibility (A): Partial
6.8 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:S/C:C/I:N/A:N Exploitability Metrics: Access Vector (AV): NetworkAccess Complexity (AC): LowAthentication (Au): Single_InstanceImpact Metrics: Confidentiality (C): CompleteIntegrity (I): NoneAvailibility (A): None
Vulnerability Type: CWE-862 Vulnerability Consequences: Obtain Information References: Source: MITRECVE-2020-26818 sap-cve202026818-info-disc(191534) SAP Support Note 2971954 https://launchpad.support.sap.com/#/notes/2971954 SAP Security Patch Day - November 2020 https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=562725571 Vulnerable Configuration: Configuration 1 :cpe:/a:sap:netweaver_application_server_abap:750:*:*:*:*:*:*:* OR cpe:/a:sap:netweaver_application_server_abap:752:*:*:*:*:*:*:* OR cpe:/a:sap:netweaver_application_server_abap:753:*:*:*:*:*:*:* OR cpe:/a:sap:netweaver_application_server_abap:754:*:*:*:*:*:*:* OR cpe:/a:sap:netweaver_application_server_abap:755:*:*:*:*:*:*:* OR cpe:/a:sap:netweaver_application_server_abap:731:*:*:*:*:*:*:* OR cpe:/a:sap:netweaver_application_server_abap:740:*:*:*:*:*:*:* OR cpe:/a:sap:netweaver_application_server_abap:751:*:*:*:*:*:*:* OR cpe:/a:sap:netweaver_application_server_abap:782:*:*:*:*:*:*:* Configuration CCN 1 :cpe:/a:sap:netweaver_as_abap:731:*:*:*:*:*:*:* OR cpe:/a:sap:netweaver_as_abap:740:*:*:*:*:*:*:* OR cpe:/a:sap:netweaver_as_abap:750:*:*:*:*:*:*:* OR cpe:/a:sap:netweaver_as_abap:751:*:*:*:*:*:*:* OR cpe:/a:sap:netweaver_as_abap:752:*:*:*:*:*:*:* OR cpe:/a:sap:netweaver_as_abap:753:*:*:*:*:*:*:* OR cpe:/a:sap:netweaver_as_abap:754:*:*:*:*:*:*:* OR cpe:/a:sap:netweaver_as_abap:755:*:*:*:*:*:*:* BACK
sap netweaver application server abap 750
sap netweaver application server abap 752
sap netweaver application server abap 753
sap netweaver application server abap 754
sap netweaver application server abap 755
sap netweaver application server abap 731
sap netweaver application server abap 740
sap netweaver application server abap 751
sap netweaver application server abap 782
sap netweaver as abap 731
sap netweaver as abap 740
sap netweaver as abap 750
sap netweaver as abap 751
sap netweaver as abap 752
sap netweaver as abap 753
sap netweaver as abap 754
sap netweaver as abap 755
Denotes that component is vulnerable