{"containers": {"cna": {"affected": [{"product": "SAP NetWeaver (ABAP Server) and ABAP Platform", "vendor": "SAP SE", "versions": [{"status": "affected", "version": "< 700"}, {"status": "affected", "version": "< 701"}, {"status": "affected", "version": "< 702"}, {"status": "affected", "version": "< 710"}, {"status": "affected", "version": "< 711"}, {"status": "affected", "version": "< 730"}, {"status": "affected", "version": "< 731"}, {"status": "affected", "version": "< 740"}, {"status": "affected", "version": "< 750"}, {"status": "affected", "version": "< 751"}, {"status": "affected", "version": "< 752"}, {"status": "affected", "version": "< 753"}, {"status": "affected", "version": "< 754"}, {"status": "affected", "version": "< 755"}]}], "descriptions": [{"lang": "en", "value": "A Remote Code Execution vulnerability exists in the SAP NetWeaver (ABAP Server, up to release 7.40) and ABAP Platform (> release 7.40).Because of this, an attacker can exploit these products via Code Injection, and potentially enabling to take complete control of the products, including viewing, changing, or deleting data by injecting code into the working memory which is subsequently executed by the application. It can also be used to cause a general fault in the product, causing the products to terminate."}], "metrics": [{"cvssV3_0": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "version": "3.0"}}], "problemTypes": [{"descriptions": [{"description": "Code Injection", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2022-05-19T17:06:19", "orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "shortName": "sap"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=557449700"}, {"tags": ["x_refsource_MISC"], "url": "https://launchpad.support.sap.com/#/notes/2958563"}, {"name": "20220518 SEC Consult SA-20220518-0 :: Multiple Critical Vulnerabilities in SAP Application Server, ABAP and ABAP Platform (Different Software Components)", "tags": ["mailing-list", "x_refsource_FULLDISC"], "url": "http://seclists.org/fulldisclosure/2022/May/42"}, {"tags": ["x_refsource_MISC"], "url": "http://packetstormsecurity.com/files/167229/SAP-Application-Server-ABAP-ABAP-Platform-Code-Injection-SQL-Injection-Missing-Authorization.html"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cna@sap.com", "ID": "CVE-2020-6318", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "SAP NetWeaver (ABAP Server) and ABAP Platform", "version": {"version_data": [{"version_name": "<", "version_value": "700"}, {"version_name": "<", "version_value": "701"}, {"version_name": "<", "version_value": "702"}, {"version_name": "<", "version_value": "710"}, {"version_name": "<", "version_value": "711"}, {"version_name": "<", "version_value": "730"}, {"version_name": "<", "version_value": "731"}, {"version_name": "<", "version_value": "740"}, {"version_name": "<", "version_value": "750"}, {"version_name": "<", "version_value": "751"}, {"version_name": "<", "version_value": "752"}, {"version_name": "<", "version_value": "753"}, {"version_name": "<", "version_value": "754"}, {"version_name": "<", "version_value": "755"}]}}]}, "vendor_name": "SAP SE"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A Remote Code Execution vulnerability exists in the SAP NetWeaver (ABAP Server, up to release 7.40) and ABAP Platform (> release 7.40).Because of this, an attacker can exploit these products via Code Injection, and potentially enabling to take complete control of the products, including viewing, changing, or deleting data by injecting code into the working memory which is subsequently executed by the application. It can also be used to cause a general fault in the product, causing the products to terminate."}]}, "impact": {"cvss": {"baseScore": "9.1", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "version": "3.0"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Code Injection"}]}]}, "references": {"reference_data": [{"name": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=557449700", "refsource": "MISC", "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=557449700"}, {"name": "https://launchpad.support.sap.com/#/notes/2958563", "refsource": "MISC", "url": "https://launchpad.support.sap.com/#/notes/2958563"}, {"name": "20220518 SEC Consult SA-20220518-0 :: Multiple Critical Vulnerabilities in SAP Application Server, ABAP and ABAP Platform (Different Software Components)", "refsource": "FULLDISC", "url": "http://seclists.org/fulldisclosure/2022/May/42"}, {"name": "http://packetstormsecurity.com/files/167229/SAP-Application-Server-ABAP-ABAP-Platform-Code-Injection-SQL-Injection-Missing-Authorization.html", "refsource": "MISC", "url": "http://packetstormsecurity.com/files/167229/SAP-Application-Server-ABAP-ABAP-Platform-Code-Injection-SQL-Injection-Missing-Authorization.html"}]}}}}, "cveMetadata": {"assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "assignerShortName": "sap", "cveId": "CVE-2020-6318", "datePublished": "2020-09-09T12:46:21", "dateReserved": "2020-01-08T00:00:00", "dateUpdated": "2022-05-19T17:06:19", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:sap:abap_platform:700:*:*:*:*:*:*:*", "matchCriteriaId": "9AA5D36E-BE80-422B-8A6B-0ABDDE274146", "vulnerable": true}, {"criteria": "cpe:2.3:a:sap:abap_platform:701:*:*:*:*:*:*:*", "matchCriteriaId": "C04D8608-83F0-4D7F-A7A9-59B616240F14", "vulnerable": true}, {"criteria": "cpe:2.3:a:sap:abap_platform:702:*:*:*:*:*:*:*", "matchCriteriaId": "E4DF5956-1396-41FA-B101-E24F7898D135", "vulnerable": true}, {"criteria": "cpe:2.3:a:sap:abap_platform:710:*:*:*:*:*:*:*", "matchCriteriaId": "ADE0E878-BE4E-4CFD-907D-7ABB745A4CE8", "vulnerable": true}, {"criteria": "cpe:2.3:a:sap:abap_platform:711:*:*:*:*:*:*:*", "matchCriteriaId": "D14E8DCD-B365-4FC0-B08C-1A89787111C9", "vulnerable": true}, {"criteria": "cpe:2.3:a:sap:abap_platform:730:*:*:*:*:*:*:*", "matchCriteriaId": "47631DD2-0504-449D-9460-4D4233EAAEF3", "vulnerable": true}, {"criteria": "cpe:2.3:a:sap:abap_platform:731:*:*:*:*:*:*:*", "matchCriteriaId": "CC2B8C19-4A66-44A8-9995-2BB71D8AA665", "vulnerable": true}, {"criteria": "cpe:2.3:a:sap:abap_platform:740:*:*:*:*:*:*:*", "matchCriteriaId": "07710B18-BF01-4316-A258-4F1CB6269C5E", "vulnerable": true}, {"criteria": "cpe:2.3:a:sap:abap_platform:750:*:*:*:*:*:*:*", "matchCriteriaId": "A3A631DA-1279-49AC-922E-7D7216DACC8D", "vulnerable": true}, {"criteria": "cpe:2.3:a:sap:abap_platform:751:*:*:*:*:*:*:*", "matchCriteriaId": "65320F25-669B-40D8-A246-07B0202C00A9", "vulnerable": true}, {"criteria": "cpe:2.3:a:sap:abap_platform:753:*:*:*:*:*:*:*", "matchCriteriaId": "E1C86F45-445E-4970-A378-199A35B23F4B", "vulnerable": true}, {"criteria": "cpe:2.3:a:sap:abap_platform:754:*:*:*:*:*:*:*", "matchCriteriaId": "74901A8A-A556-478F-ABCD-7DCFD471210A", "vulnerable": true}, {"criteria": "cpe:2.3:a:sap:abap_platform:755:*:*:*:*:*:*:*", "matchCriteriaId": "5B48E0FF-814F-4F9C-B5B1-87D978E1B4A4", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "A Remote Code Execution vulnerability exists in the SAP NetWeaver (ABAP Server, up to release 7.40) and ABAP Platform (> release 7.40).Because of this, an attacker can exploit these products via Code Injection, and potentially enabling to take complete control of the products, including viewing, changing, or deleting data by injecting code into the working memory which is subsequently executed by the application. It can also be used to cause a general fault in the product, causing the products to terminate."}, {"lang": "es", "value": "Se presenta una vulnerabilidad de ejecuci\u00f3n de c\u00f3digo remota en SAP NetWeaver (servidor ABAP, versiones hasta 7.40) y la Plataforma ABAP (versiones posteriores a 7.40). Debido a esto, un atacante puede explotar estos productos por medio de una Inyecci\u00f3n de C\u00f3digo y potencialmente permitir tomar el control completo de los productos, incluyendo la visualizaci\u00f3n, el cambio o la eliminaci\u00f3n de datos mediante la inyecci\u00f3n de c\u00f3digo en la memoria de trabajo que es posteriormente ejecutada por la aplicaci\u00f3n.&#xa0;Tambi\u00e9n puede ser usada para causar un fallo general en el producto, causando que los productos finalicen."}], "id": "CVE-2020-6318", "lastModified": "2022-07-01T19:24:56.420", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 6.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.3, "impactScore": 6.0, "source": "cna@sap.com", "type": "Secondary"}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-09-09T13:15:12.020", "references": [{"source": "cna@sap.com", "tags": ["Exploit", "Third Party Advisory", "VDB Entry"], "url": "http://packetstormsecurity.com/files/167229/SAP-Application-Server-ABAP-ABAP-Platform-Code-Injection-SQL-Injection-Missing-Authorization.html"}, {"source": "cna@sap.com", "tags": ["Exploit", "Mailing List", "Third Party Advisory"], "url": "http://seclists.org/fulldisclosure/2022/May/42"}, {"source": "cna@sap.com", "tags": ["Permissions Required"], "url": "https://launchpad.support.sap.com/#/notes/2958563"}, {"source": "cna@sap.com", "tags": ["Vendor Advisory"], "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=557449700"}], "sourceIdentifier": "cna@sap.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-94"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}