cnvd - cnvd-2020-38866

cnvd-2020-38866

Vulnerability from cnvd

Title

SAP NetWeaver AS Java命令执行漏洞

Description

SAP Netweaver是德国思爱普（SAP）公司的一套面向服务的集成化应用平台。该平台主要为SAP应用程序提供开发和运行环境。SAP NetWeaver Application Server（AS）Java是一款运行于NetWeaver中且基于Java编程语言的应用服务器。 SAP NetWeaver AS Java（LM配置向导）7.30至7.50版本存在安全漏洞。未经身份验证的远程攻击者可以通过创建具有最大特权的新SAP用户，绕过所有访问和授权控制，从而完全控制SAP系统。

Severity

高

Patch Name

SAP NetWeaver AS Java命令执行漏洞的补丁

Patch Description

Formal description

建议将SAP对应产品升级至安全版本，建议用户下载使用： https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=552599675

Reference

https://nvd.nist.gov/vuln/detail/CVE-2020-6287

Impacted products

Name
['SAP Netweaver Application Server Java 7.30', 'SAP Netweaver Application Server Java 7.31', 'SAP Netweaver Application Server Java 7.40', 'SAP Netweaver Application Server Java 7.50']

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2020-6287"
    }
  },
  "description": "SAP Netweaver\u662f\u5fb7\u56fd\u601d\u7231\u666e\uff08SAP\uff09\u516c\u53f8\u7684\u4e00\u5957\u9762\u5411\u670d\u52a1\u7684\u96c6\u6210\u5316\u5e94\u7528\u5e73\u53f0\u3002\u8be5\u5e73\u53f0\u4e3b\u8981\u4e3aSAP\u5e94\u7528\u7a0b\u5e8f\u63d0\u4f9b\u5f00\u53d1\u548c\u8fd0\u884c\u73af\u5883\u3002SAP NetWeaver Application Server\uff08AS\uff09Java\u662f\u4e00\u6b3e\u8fd0\u884c\u4e8eNetWeaver\u4e2d\u4e14\u57fa\u4e8eJava\u7f16\u7a0b\u8bed\u8a00\u7684\u5e94\u7528\u670d\u52a1\u5668\u3002\n\nSAP NetWeaver AS Java\uff08LM\u914d\u7f6e\u5411\u5bfc\uff097.30\u81f37.50\u7248\u672c\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\u3002\u672a\u7ecf\u8eab\u4efd\u9a8c\u8bc1\u7684\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u4ee5\u901a\u8fc7\u521b\u5efa\u5177\u6709\u6700\u5927\u7279\u6743\u7684\u65b0SAP\u7528\u6237\uff0c\u7ed5\u8fc7\u6240\u6709\u8bbf\u95ee\u548c\u6388\u6743\u63a7\u5236\uff0c\u4ece\u800c\u5b8c\u5168\u63a7\u5236SAP\u7cfb\u7edf\u3002",
  "formalWay": "\u5efa\u8bae\u5c06SAP\u5bf9\u5e94\u4ea7\u54c1\u5347\u7ea7\u81f3\u5b89\u5168\u7248\u672c\uff0c\u5efa\u8bae\u7528\u6237\u4e0b\u8f7d\u4f7f\u7528\uff1a\r\nhttps://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=552599675",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2020-38866",
  "openTime": "2020-07-15",
  "patchDescription": "SAP Netweaver\u662f\u5fb7\u56fd\u601d\u7231\u666e\uff08SAP\uff09\u516c\u53f8\u7684\u4e00\u5957\u9762\u5411\u670d\u52a1\u7684\u96c6\u6210\u5316\u5e94\u7528\u5e73\u53f0\u3002\u8be5\u5e73\u53f0\u4e3b\u8981\u4e3aSAP\u5e94\u7528\u7a0b\u5e8f\u63d0\u4f9b\u5f00\u53d1\u548c\u8fd0\u884c\u73af\u5883\u3002SAP NetWeaver Application Server\uff08AS\uff09Java\u662f\u4e00\u6b3e\u8fd0\u884c\u4e8eNetWeaver\u4e2d\u4e14\u57fa\u4e8eJava\u7f16\u7a0b\u8bed\u8a00\u7684\u5e94\u7528\u670d\u52a1\u5668\u3002\r\n\r\nSAP NetWeaver AS Java\uff08LM\u914d\u7f6e\u5411\u5bfc\uff097.30\u81f37.50\u7248\u672c\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\u3002\u672a\u7ecf\u8eab\u4efd\u9a8c\u8bc1\u7684\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u4ee5\u901a\u8fc7\u521b\u5efa\u5177\u6709\u6700\u5927\u7279\u6743\u7684\u65b0SAP\u7528\u6237\uff0c\u7ed5\u8fc7\u6240\u6709\u8bbf\u95ee\u548c\u6388\u6743\u63a7\u5236\uff0c\u4ece\u800c\u5b8c\u5168\u63a7\u5236SAP\u7cfb\u7edf\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "SAP NetWeaver AS Java\u547d\u4ee4\u6267\u884c\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": [
      "SAP Netweaver Application Server Java 7.30",
      "SAP Netweaver Application Server Java 7.31",
      "SAP Netweaver Application Server Java 7.40",
      "SAP Netweaver Application Server Java 7.50"
    ]
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2020-6287",
  "serverity": "\u9ad8",
  "submitTime": "2020-07-15",
  "title": "SAP NetWeaver AS Java\u547d\u4ee4\u6267\u884c\u6f0f\u6d1e"
}

CVE-2020-6287 (GCVE-0-2020-6287)

Vulnerability from cvelistv5

Published

2020-07-14 12:30

Modified

2025-07-30 01:45

Severity ?

10.0 (Critical) - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CWE

Missing Authentication Check

Summary

SAP NetWeaver AS JAVA (LM Configuration Wizard), versions - 7.30, 7.31, 7.40, 7.50, does not perform an authentication check which allows an attacker without prior authentication to execute configuration tasks to perform critical actions against the SAP Java system, including the ability to create an administrative user, and therefore compromising Confidentiality, Integrity and Availability of the system, leading to Missing Authentication Check.

References

URL

Tags

	https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=552599675	x_refsource_MISC
	https://launchpad.support.sap.com/#/notes/2934135	x_refsource_MISC
	https://www.onapsis.com/recon-sap-cyber-security-vulnerability	x_refsource_MISC
	http://seclists.org/fulldisclosure/2021/Apr/6	mailing-list, x_refsource_FULLDISC
	http://packetstormsecurity.com/files/162085/SAP-JAVA-Configuration-Task-Execution.html	x_refsource_MISC