Vulnerability Name:

CVE-2020-26832 (CCN-192843)

Assigned:2020-12-08
Published:2020-12-08
Updated:2022-10-05
Summary:SAP AS ABAP (SAP Landscape Transformation), versions - 2011_1_620, 2011_1_640, 2011_1_700, 2011_1_710, 2011_1_730, 2011_1_731, 2011_1_752, 2020 and SAP S4 HANA (SAP Landscape Transformation), versions - 101, 102, 103, 104, 105, allows a high privileged user to execute a RFC function module to which access should be restricted, however due to missing authorization an attacker can get access to some sensitive internal information of vulnerable SAP system or to make vulnerable SAP systems completely unavailable.
CVSS v3 Severity:7.6 High (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:H)
6.8 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:H/E:P/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): High
User Interaction (UI): None
Scope:Scope (S): Changed
Impact Metrics:Confidentiality (C): Low
Integrity (I): None
Availibility (A): High
7.6 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:H)
6.8 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:H/E:P/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): High
User Interaction (UI): None
Scope:Scope (S): Changed
Impact Metrics:Confidentiality (C): Low
Integrity (I): None
Availibility (A): High
CVSS v2 Severity:7.5 High (CVSS v2 Vector: AV:N/AC:L/Au:S/C:P/I:N/A:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (Au): Single_Instance
Impact Metrics:Confidentiality (C): Partial
Integrity (I): None
Availibility (A): Complete
7.5 High (CCN CVSS v2 Vector: AV:N/AC:L/Au:S/C:P/I:N/A:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): Single_Instance
Impact Metrics:Confidentiality (C): Partial
Integrity (I): None
Availibility (A): Complete
Vulnerability Type:CWE-862
Vulnerability Consequences:Obtain Information
References:Source: MITRE
Type: CNA
CVE-2020-26832

Source: MISC
Type: Exploit, Third Party Advisory, VDB Entry
http://packetstormsecurity.com/files/167229/SAP-Application-Server-ABAP-ABAP-Platform-Code-Injection-SQL-Injection-Missing-Authorization.html

Source: FULLDISC
Type: Exploit, Mailing List, Third Party Advisory
20220518 SEC Consult SA-20220518-0 :: Multiple Critical Vulnerabilities in SAP Application Server, ABAP and ABAP Platform (Different Software Components)

Source: XF
Type: UNKNOWN
sap-cve202026832-info-disc(192843)

Source: CCN
Type: SAP Web site
SAP Support Note 2993132

Source: MISC
Type: Permissions Required
https://launchpad.support.sap.com/#/notes/2993132

Source: CCN
Type: Packet Storm Security [05-19-2022]
SAP Application Server ABAP / ABAP Platform Code Injection / SQL Injection / Missing Authorization

Source: CCN
Type: SAP Security Patch Day - December 2020
SAP Security Patch Day - December 2020

Source: MISC
Type: Vendor Advisory
https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=564757079

Vulnerable Configuration:Configuration 1:
  • cpe:/a:sap:s/4_hana:102:*:*:*:*:*:*:*
  • OR cpe:/a:sap:s/4_hana:103:*:*:*:*:*:*:*
  • OR cpe:/a:sap:s/4_hana:104:*:*:*:*:*:*:*
  • OR cpe:/a:sap:s/4_hana:105:*:*:*:*:*:*:*
  • OR cpe:/a:sap:s/4_hana:101:*:*:*:*:*:*:*
  • OR cpe:/a:sap:netweaver_application_server_abap:2011_1_640:*:*:*:*:*:*:*
  • OR cpe:/a:sap:netweaver_application_server_abap:2011_1_700:*:*:*:*:*:*:*
  • OR cpe:/a:sap:netweaver_application_server_abap:2011_1_710:*:*:*:*:*:*:*
  • OR cpe:/a:sap:netweaver_application_server_abap:2011_1_730:*:*:*:*:*:*:*
  • OR cpe:/a:sap:netweaver_application_server_abap:2011_1_731:*:*:*:*:*:*:*
  • OR cpe:/a:sap:netweaver_application_server_abap:2011_1_752:*:*:*:*:*:*:*
  • OR cpe:/a:sap:netweaver_application_server_abap:2020:*:*:*:*:*:*:*
  • OR cpe:/a:sap:netweaver_application_server_abap:2011_1_620:*:*:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/a:sap:netweaver_as_abap:2011_1_620:*:*:*:*:*:*:*
  • OR cpe:/a:sap:netweaver_as_abap:2011_1_640:*:*:*:*:*:*:*
  • OR cpe:/a:sap:netweaver_as_abap:2011_1_700:*:*:*:*:*:*:*
  • OR cpe:/a:sap:netweaver_as_abap:2011_1_710:*:*:*:*:*:*:*
  • OR cpe:/a:sap:netweaver_as_abap:2011_1_730:*:*:*:*:*:*:*
  • OR cpe:/a:sap:netweaver_as_abap:2011_1_731:*:*:*:*:*:*:*
  • OR cpe:/a:sap:netweaver_as_abap:2011_1_752:*:*:*:*:*:*:*
  • OR cpe:/a:sap:netweaver_as_abap:2020:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    BACK
    sap s/4 hana 102
    sap s/4 hana 103
    sap s/4 hana 104
    sap s/4 hana 105
    sap s/4 hana 101
    sap netweaver application server abap 2011_1_640
    sap netweaver application server abap 2011_1_700
    sap netweaver application server abap 2011_1_710
    sap netweaver application server abap 2011_1_730
    sap netweaver application server abap 2011_1_731
    sap netweaver application server abap 2011_1_752
    sap netweaver application server abap 2020
    sap netweaver application server abap 2011_1_620
    sap netweaver as abap 2011_1_620
    sap netweaver as abap 2011_1_640
    sap netweaver as abap 2011_1_700
    sap netweaver as abap 2011_1_710
    sap netweaver as abap 2011_1_730
    sap netweaver as abap 2011_1_731
    sap netweaver as abap 2011_1_752
    sap netweaver as abap 2020