CVE-2020-26820 - OpenCVE

SAP NetWeaver AS JAVA, versions - 7.20, 7.30, 7.31, 7.40, 7.50, allows an attacker who is authenticated as an administrator to use the administrator console, to expose unauthenticated access to the file system and upload a malicious file. The attacker or another user can then use a separate mechanism to execute OS commands through the uploaded file leading to Privilege Escalation and completely compromise the confidentiality, integrity and availability of the server operating system and any application running on it.

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact Complete

AV:N/AC:L/Au:S/C:C/I:C/A:C

Vendors & Products
CPE Configurations

Vendors	Products
Sap	Netweaver Application Server Java

Configuration 1 [-]

OR	cpe:2.3:a:sap:netweaver_application_server_java:7.20:::::::*
	cpe:2.3:a:sap:netweaver_application_server_java:7.30:::::::*
	cpe:2.3:a:sap:netweaver_application_server_java:7.31:::::::*
	cpe:2.3:a:sap:netweaver_application_server_java:7.40:::::::*
	cpe:2.3:a:sap:netweaver_application_server_java:7.50:::::::*

References

Link	Resource
http://packetstormsecurity.com/files/162086/SAP-Java-OS-Remote-Code-Execution.html	Third Party Advisory VDB Entry
http://seclists.org/fulldisclosure/2021/Apr/7	Mailing List Third Party Advisory
https://launchpad.support.sap.com/#/notes/2979062	Permissions Required Vendor Advisory
https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=562725571	Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: sap

Published: 2020-11-10T16:14:04

Updated: 2021-04-06T15:06:18

Reserved: 2020-10-07T00:00:00

Link: CVE-2020-26820

JSON object: View

NVD Information

Status : Analyzed

Published: 2020-11-10T17:15:14.173

Modified: 2022-01-01T18:18:22.327

Link: CVE-2020-26820

JSON object: View

Redhat Information

No data.

CWE

CWE-434

{"containers": {"cna": {"affected": [{"product": "SAP NetWeaver AS JAVA", "vendor": "SAP SE", "versions": [{"status": "affected", "version": "< 7.20"}, {"status": "affected", "version": "< 7.30"}, {"status": "affected", "version": "< 7.31"}, {"status": "affected", "version": "< 7.40"}, {"status": "affected", "version": "< 7.50"}]}], "descriptions": [{"lang": "en", "value": "SAP NetWeaver AS JAVA, versions - 7.20, 7.30, 7.31, 7.40, 7.50, allows an attacker who is authenticated as an administrator to use the administrator console, to expose unauthenticated access to the file system and upload a malicious file. The attacker or another user can then use a separate mechanism to execute OS commands through the uploaded file leading to Privilege Escalation and completely compromise the confidentiality, integrity and availability of the server operating system and any application running on it."}], "metrics": [{"cvssV3_0": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "version": "3.0"}}], "problemTypes": [{"descriptions": [{"description": "Privilege escalation", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2021-04-06T15:06:18", "orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "shortName": "sap"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=562725571"}, {"tags": ["x_refsource_MISC"], "url": "https://launchpad.support.sap.com/#/notes/2979062"}, {"name": "20210405 Onapsis Security Advisory 2021-0004: [CVE-2020-26820] - SAP Java OS Remote Code Execution", "tags": ["mailing-list", "x_refsource_FULLDISC"], "url": "http://seclists.org/fulldisclosure/2021/Apr/7"}, {"tags": ["x_refsource_MISC"], "url": "http://packetstormsecurity.com/files/162086/SAP-Java-OS-Remote-Code-Execution.html"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cna@sap.com", "ID": "CVE-2020-26820", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "SAP NetWeaver AS JAVA", "version": {"version_data": [{"version_name": "<", "version_value": "7.20"}, {"version_name": "<", "version_value": "7.30"}, {"version_name": "<", "version_value": "7.31"}, {"version_name": "<", "version_value": "7.40"}, {"version_name": "<", "version_value": "7.50"}]}}]}, "vendor_name": "SAP SE"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "SAP NetWeaver AS JAVA, versions - 7.20, 7.30, 7.31, 7.40, 7.50, allows an attacker who is authenticated as an administrator to use the administrator console, to expose unauthenticated access to the file system and upload a malicious file. The attacker or another user can then use a separate mechanism to execute OS commands through the uploaded file leading to Privilege Escalation and completely compromise the confidentiality, integrity and availability of the server operating system and any application running on it."}]}, "impact": {"cvss": {"baseScore": "9.1", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "version": "3.0"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Privilege escalation"}]}]}, "references": {"reference_data": [{"name": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=562725571", "refsource": "MISC", "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=562725571"}, {"name": "https://launchpad.support.sap.com/#/notes/2979062", "refsource": "MISC", "url": "https://launchpad.support.sap.com/#/notes/2979062"}, {"name": "20210405 Onapsis Security Advisory 2021-0004: [CVE-2020-26820] - SAP Java OS Remote Code Execution", "refsource": "FULLDISC", "url": "http://seclists.org/fulldisclosure/2021/Apr/7"}, {"name": "http://packetstormsecurity.com/files/162086/SAP-Java-OS-Remote-Code-Execution.html", "refsource": "MISC", "url": "http://packetstormsecurity.com/files/162086/SAP-Java-OS-Remote-Code-Execution.html"}]}}}}, "cveMetadata": {"assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "assignerShortName": "sap", "cveId": "CVE-2020-26820", "datePublished": "2020-11-10T16:14:04", "dateReserved": "2020-10-07T00:00:00", "dateUpdated": "2021-04-06T15:06:18", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:sap:netweaver_application_server_java:7.20:*:*:*:*:*:*:*", "matchCriteriaId": "43A28C48-4325-4694-88B1-FEE46EBFB0A6", "vulnerable": true}, {"criteria": "cpe:2.3:a:sap:netweaver_application_server_java:7.30:*:*:*:*:*:*:*", "matchCriteriaId": "24A1E0B9-8C28-41BC-B050-237B5F929C9C", "vulnerable": true}, {"criteria": "cpe:2.3:a:sap:netweaver_application_server_java:7.31:*:*:*:*:*:*:*", "matchCriteriaId": "EEAE6C2A-821F-4123-BD56-0FDADF9D63C8", "vulnerable": true}, {"criteria": "cpe:2.3:a:sap:netweaver_application_server_java:7.40:*:*:*:*:*:*:*", "matchCriteriaId": "F5308FCE-8B2C-4B4D-BEE7-3CF544570B68", "vulnerable": true}, {"criteria": "cpe:2.3:a:sap:netweaver_application_server_java:7.50:*:*:*:*:*:*:*", "matchCriteriaId": "9C506445-3787-4BFF-A98B-7502A0F7CF80", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "SAP NetWeaver AS JAVA, versions - 7.20, 7.30, 7.31, 7.40, 7.50, allows an attacker who is authenticated as an administrator to use the administrator console, to expose unauthenticated access to the file system and upload a malicious file. The attacker or another user can then use a separate mechanism to execute OS commands through the uploaded file leading to Privilege Escalation and completely compromise the confidentiality, integrity and availability of the server operating system and any application running on it."}, {"lang": "es", "value": "SAP NetWeaver AS JAVA, versiones - 7.20, 7.30, 7.31, 7.40, 7.50, permite a un atacante que es autenticado como administrador usar la consola de administrador, exponer el acceso no autenticado al sistema de archivos y cargar un archivo malicioso. El atacante u otro usuario pueden usar un mecanismo separado para ejecutar los comandos del Sistema Operativo por medio del archivo cargado conllevando a una Escalada de Privilegios y comprometer completamente la confidencialidad, integridad y disponibilidad del sistema operativo del servidor y cualquier aplicaci\u00f3n que se ejecute en \u00e9l"}], "id": "CVE-2020-26820", "lastModified": "2022-01-01T18:18:22.327", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "COMPLETE", "baseScore": 9.0, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.3, "impactScore": 6.0, "source": "cna@sap.com", "type": "Secondary"}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-11-10T17:15:14.173", "references": [{"source": "cna@sap.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://packetstormsecurity.com/files/162086/SAP-Java-OS-Remote-Code-Execution.html"}, {"source": "cna@sap.com", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://seclists.org/fulldisclosure/2021/Apr/7"}, {"source": "cna@sap.com", "tags": ["Permissions Required", "Vendor Advisory"], "url": "https://launchpad.support.sap.com/#/notes/2979062"}, {"source": "cna@sap.com", "tags": ["Vendor Advisory"], "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=562725571"}], "sourceIdentifier": "cna@sap.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-434"}], "source": "nvd@nist.gov", "type": "Primary"}]}