PT-2020-19077 · Sap · Sap Netweaver As Java

Published

2020-07-14

Updated

2020-07-16

CVE-2020-6286

CVSS v3.1

5.3

Medium

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Name of the Vulnerable Software and Affected Versions SAP NetWeaver AS JAVA (LM Configuration Wizard) versions 7.30, 7.31, 7.40, 7.50

Description The issue is related to insufficient input path validation of a certain parameter in the web service, allowing an unauthenticated attacker to exploit a method and download zip files to a specific directory. This leads to a Path Traversal issue.

Recommendations For versions 7.30, 7.31, 7.40, 7.50, update to a version that includes the fix for the insufficient input path validation issue. As a temporary workaround, consider restricting access to the vulnerable web service until a patch is available. Avoid using the vulnerable parameter in the affected web service until the issue is resolved.

Exploit

Fix

Path traversal

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-22

Related Identifiers

CVE-2020-6286

SAPNETWEAVERCVE2020_6286

Affected Products

Sap Netweaver As Java

PT-2020-19077 · Sap · Sap Netweaver As Java

CVE-2020-6286

Weakness Enumeration

Related Identifiers

Affected Products

References · 8