CVE-2020-6307 - OpenCVE

Automated Note Search Tool (update provided in SAP Basis 7.0, 7.01, 7.02, 7.31, 7.4, 7.5, 7.51, 7.52, 7.53 and 7.54) does not perform sufficient authorization checks leading to the reading of sensitive information.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:L/Au:S/C:P/I:N/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Sap	Basis

Configuration 1 [-]

OR	cpe:2.3:a:sap:basis:7.0:::::::*
	cpe:2.3:a:sap:basis:7.01:::::::*
	cpe:2.3:a:sap:basis:7.02:::::::*
	cpe:2.3:a:sap:basis:7.31:::::::*
	cpe:2.3:a:sap:basis:7.40:::::::*
	cpe:2.3:a:sap:basis:7.50:::::::*
	cpe:2.3:a:sap:basis:7.51:::::::*
	cpe:2.3:a:sap:basis:7.52:::::::*
	cpe:2.3:a:sap:basis:7.53:::::::*
	cpe:2.3:a:sap:basis:7.54:::::::*

References

Link	Resource
https://launchpad.support.sap.com/#/notes/2863397	Permissions Required
https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=533671771	Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: sap

Published: 2020-01-14T17:52:59

Updated: 2020-01-14T17:52:59

Reserved: 2020-01-08T00:00:00

Link: CVE-2020-6307

JSON object: View

NVD Information

Status : Analyzed

Published: 2020-01-14T18:15:12.180

Modified: 2021-07-21T11:39:23.747

Link: CVE-2020-6307

JSON object: View

Redhat Information

No data.

CWE

CWE-863

{"containers": {"cna": {"affected": [{"product": "Automated Note Search Tool (SAP Basis)", "vendor": "SAP SE", "versions": [{"status": "affected", "version": "< 7.0"}, {"status": "affected", "version": "< 7.01"}, {"status": "affected", "version": "< 7.02"}, {"status": "affected", "version": "< 7.31"}, {"status": "affected", "version": "< 7.4"}, {"status": "affected", "version": "< 7.5"}, {"status": "affected", "version": "< 7.51"}, {"status": "affected", "version": "< 7.52"}, {"status": "affected", "version": "< 7.53"}, {"status": "affected", "version": "< 7.54"}]}], "descriptions": [{"lang": "en", "value": "Automated Note Search Tool (update provided in SAP Basis 7.0, 7.01, 7.02, 7.31, 7.4, 7.5, 7.51, 7.52, 7.53 and 7.54) does not perform sufficient authorization checks leading to the reading of sensitive information."}], "metrics": [{"cvssV3_0": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.0"}}], "problemTypes": [{"descriptions": [{"description": "Missing Authorization Check", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2020-01-14T17:52:59", "orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "shortName": "sap"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=533671771"}, {"tags": ["x_refsource_MISC"], "url": "https://launchpad.support.sap.com/#/notes/2863397"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cna@sap.com", "ID": "CVE-2020-6307", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Automated Note Search Tool (SAP Basis)", "version": {"version_data": [{"version_name": "<", "version_value": "7.0"}, {"version_name": "<", "version_value": "7.01"}, {"version_name": "<", "version_value": "7.02"}, {"version_name": "<", "version_value": "7.31"}, {"version_name": "<", "version_value": "7.4"}, {"version_name": "<", "version_value": "7.5"}, {"version_name": "<", "version_value": "7.51"}, {"version_name": "<", "version_value": "7.52"}, {"version_name": "<", "version_value": "7.53"}, {"version_name": "<", "version_value": "7.54"}]}}]}, "vendor_name": "SAP SE"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Automated Note Search Tool (update provided in SAP Basis 7.0, 7.01, 7.02, 7.31, 7.4, 7.5, 7.51, 7.52, 7.53 and 7.54) does not perform sufficient authorization checks leading to the reading of sensitive information."}]}, "impact": {"cvss": {"baseScore": "4.3", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.0"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Missing Authorization Check"}]}]}, "references": {"reference_data": [{"name": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=533671771", "refsource": "CONFIRM", "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=533671771"}, {"name": "https://launchpad.support.sap.com/#/notes/2863397", "refsource": "MISC", "url": "https://launchpad.support.sap.com/#/notes/2863397"}]}}}}, "cveMetadata": {"assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "assignerShortName": "sap", "cveId": "CVE-2020-6307", "datePublished": "2020-01-14T17:52:59", "dateReserved": "2020-01-08T00:00:00", "dateUpdated": "2020-01-14T17:52:59", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:sap:basis:7.0:*:*:*:*:*:*:*", "matchCriteriaId": "49E9E5C3-C582-4294-A33E-5B54EC5A1046", "vulnerable": true}, {"criteria": "cpe:2.3:a:sap:basis:7.01:*:*:*:*:*:*:*", "matchCriteriaId": "D262D407-99E0-40B4-B57D-B8E693795368", "vulnerable": true}, {"criteria": "cpe:2.3:a:sap:basis:7.02:*:*:*:*:*:*:*", "matchCriteriaId": "5048545D-7872-4EB9-AA97-557944999BB6", "vulnerable": true}, {"criteria": "cpe:2.3:a:sap:basis:7.31:*:*:*:*:*:*:*", "matchCriteriaId": "1AC2D764-A795-4FBC-95AF-D212B8E51991", "vulnerable": true}, {"criteria": "cpe:2.3:a:sap:basis:7.40:*:*:*:*:*:*:*", "matchCriteriaId": "B469CB1A-3AF3-4824-A185-A46A63DBABBE", "vulnerable": true}, {"criteria": "cpe:2.3:a:sap:basis:7.50:*:*:*:*:*:*:*", "matchCriteriaId": "56852389-A9A8-42DB-A471-10C1990502FF", "vulnerable": true}, {"criteria": "cpe:2.3:a:sap:basis:7.51:*:*:*:*:*:*:*", "matchCriteriaId": "594CB284-78FF-491F-BAF6-390E7D4D5DBE", "vulnerable": true}, {"criteria": "cpe:2.3:a:sap:basis:7.52:*:*:*:*:*:*:*", "matchCriteriaId": "F7ACA030-9C6A-47D3-A7D9-899753870241", "vulnerable": true}, {"criteria": "cpe:2.3:a:sap:basis:7.53:*:*:*:*:*:*:*", "matchCriteriaId": "893979E3-40EB-4847-A39B-F548F3000F89", "vulnerable": true}, {"criteria": "cpe:2.3:a:sap:basis:7.54:*:*:*:*:*:*:*", "matchCriteriaId": "977F2126-AB92-47D0-B7D4-314D468AC497", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Automated Note Search Tool (update provided in SAP Basis 7.0, 7.01, 7.02, 7.31, 7.4, 7.5, 7.51, 7.52, 7.53 and 7.54) does not perform sufficient authorization checks leading to the reading of sensitive information."}, {"lang": "es", "value": "Automated Note Search Tool (actualizaci\u00f3n proporcionada en SAP Basis versiones 7.0, 7.01, 7.02, 7.31, 7.4, 7.5, 7.51, 7.52, 7.53 y 7.54), no realiza suficientes comprobaciones de autorizaci\u00f3n conllevando a la lectura de informaci\u00f3n confidencial."}], "id": "CVE-2020-6307", "lastModified": "2021-07-21T11:39:23.747", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 4.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "cna@sap.com", "type": "Secondary"}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-01-14T18:15:12.180", "references": [{"source": "cna@sap.com", "tags": ["Permissions Required"], "url": "https://launchpad.support.sap.com/#/notes/2863397"}, {"source": "cna@sap.com", "tags": ["Vendor Advisory"], "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=533671771"}], "sourceIdentifier": "cna@sap.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-863"}], "source": "nvd@nist.gov", "type": "Primary"}]}