CVE-2020-6318

SAP Application Server ABAP / ABAP Platform Code Injection / SQL Injection / Missing Authorization

Severity Score

7.2

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

A Remote Code Execution vulnerability exists in the SAP NetWeaver (ABAP Server, up to release 7.40) and ABAP Platform (> release 7.40).Because of this, an attacker can exploit these products via Code Injection, and potentially enabling to take complete control of the products, including viewing, changing, or deleting data by injecting code into the working memory which is subsequently executed by the application. It can also be used to cause a general fault in the product, causing the products to terminate.

Se presenta una vulnerabilidad de ejecución de código remota en SAP NetWeaver (servidor ABAP, versiones hasta 7.40) y la Plataforma ABAP (versiones posteriores a 7.40). Debido a esto, un atacante puede explotar estos productos por medio de una Inyección de Código y potencialmente permitir tomar el control completo de los productos, incluyendo la visualización, el cambio o la eliminación de datos mediante la inyección de código en la memoria de trabajo que es posteriormente ejecutada por la aplicación. También puede ser usada para causar un fallo general en el producto, causando que los productos finalicen.

The SAP application server ABAP and ABAP Platform are susceptible to code injection, SQL injection, and missing authorization vulnerabilities. Multiple SAP products are affected.

*Credits: N/A

CVSS Scores

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

Low

Authentication

Single

Confidentiality

Partial

Integrity

Partial

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2020-01-08 CVE Reserved
2020-09-09 CVE Published
2024-01-13 EPSS Updated
2024-08-04 CVE Updated
2024-08-04 First Exploit
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-94: Improper Control of Generation of Code ('Code Injection')

CAPEC

References (3)

URL	Tag	Source

URL	Date	SRC
http://packetstormsecurity.com/files/167229/SAP-Application-Server-ABAP-ABAP-Platform-Code-Injection-SQL-Injection-Missing-Authorization.html	2024-08-04
http://seclists.org/fulldisclosure/2022/May/42	2024-08-04

URL	Date	SRC

URL	Date	SRC
https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=557449700	2022-07-01

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Sap Search vendor "Sap"		Abap Platform Search vendor "Sap" for product "Abap Platform"				700 Search vendor "Sap" for product "Abap Platform" and version "700"		-		Affected
Sap Search vendor "Sap"		Abap Platform Search vendor "Sap" for product "Abap Platform"				701 Search vendor "Sap" for product "Abap Platform" and version "701"		-		Affected
Sap Search vendor "Sap"		Abap Platform Search vendor "Sap" for product "Abap Platform"				702 Search vendor "Sap" for product "Abap Platform" and version "702"		-		Affected
Sap Search vendor "Sap"		Abap Platform Search vendor "Sap" for product "Abap Platform"				710 Search vendor "Sap" for product "Abap Platform" and version "710"		-		Affected
Sap Search vendor "Sap"		Abap Platform Search vendor "Sap" for product "Abap Platform"				711 Search vendor "Sap" for product "Abap Platform" and version "711"		-		Affected
Sap Search vendor "Sap"		Abap Platform Search vendor "Sap" for product "Abap Platform"				730 Search vendor "Sap" for product "Abap Platform" and version "730"		-		Affected
Sap Search vendor "Sap"		Abap Platform Search vendor "Sap" for product "Abap Platform"				731 Search vendor "Sap" for product "Abap Platform" and version "731"		-		Affected
Sap Search vendor "Sap"		Abap Platform Search vendor "Sap" for product "Abap Platform"				740 Search vendor "Sap" for product "Abap Platform" and version "740"		-		Affected
Sap Search vendor "Sap"		Abap Platform Search vendor "Sap" for product "Abap Platform"				750 Search vendor "Sap" for product "Abap Platform" and version "750"		-		Affected
Sap Search vendor "Sap"		Abap Platform Search vendor "Sap" for product "Abap Platform"				751 Search vendor "Sap" for product "Abap Platform" and version "751"		-		Affected
Sap Search vendor "Sap"		Abap Platform Search vendor "Sap" for product "Abap Platform"				753 Search vendor "Sap" for product "Abap Platform" and version "753"		-		Affected
Sap Search vendor "Sap"		Abap Platform Search vendor "Sap" for product "Abap Platform"				754 Search vendor "Sap" for product "Abap Platform" and version "754"		-		Affected
Sap Search vendor "Sap"		Abap Platform Search vendor "Sap" for product "Abap Platform"				755 Search vendor "Sap" for product "Abap Platform" and version "755"		-		Affected