CVE-2020-26837

SAP Solution Manager 7.2 File Disclosure / Denial of Service

Severity Score

9.1

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

SAP Solution Manager 7.2 (User Experience Monitoring), version - 7.2, allows an authenticated user to upload a malicious script that can exploit an existing path traversal vulnerability to compromise confidentiality exposing elements of the file system, partially compromise integrity allowing the modification of some configurations and partially compromise availability by making certain services unavailable.

SAP Solution Manager versión 7.2 (User Experience Monitoring), versión - 7.2, permite a un usuario autenticado cargar un script malicioso que puede explotar una vulnerabilidad de salto de ruta existente para comprometer la confidencialidad exponiendo elementos del sistema de archivos, comprometiendo parcialmente la integridad permitiendo la modificación de algunas configuraciones. y comprometer parcialmente la disponibilidad al hacer que determinados servicios no estén disponibles

The End-User Experience Monitoring (EEM) application, part of the SAP Solution Manager version 7.2, is vulnerable to path traversal. As a consequence, an unauthorized attacker would be able to read sensitive OS files and affect the availability of the EEM robots connected to the SolMan.

*Credits: N/A

CVSS Scores

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

Low

Availability

Low

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

None

Availability

Low

Attack Vector

Network

Attack Complexity

Low

Authentication

Single

Confidentiality

Partial

Integrity

Partial

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2020-10-07 CVE Reserved
2020-12-09 CVE Published
2024-08-04 CVE Updated
2024-12-17 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CAPEC

References (3)

URL	Tag	Source
http://packetstormsecurity.com/files/163160/SAP-Solution-Manager-7.2-File-Disclosure-Denial-Of-Service.html	Third Party Advisory
http://seclists.org/fulldisclosure/2021/Jun/32	Mailing List

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=564757079	2021-06-17

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Sap Search vendor "Sap"		Solution Manager Search vendor "Sap" for product "Solution Manager"				7.20 Search vendor "Sap" for product "Solution Manager" and version "7.20"		-		Affected