Skip links

CVE-2020-26820 Privilege escalation in SAP NetWeaver Application Server for Java (UDDI Server), SAP security note 2979062

Description

UPDATE 22nd December 2020: This note has been re-released with updated ‘Support Packages & Patches’ information. We have provided the fix to the version SR UI 7.40  SP 017 & SR UI 7.31  SP 022

The UDDI Server of SAP NetWeaver Application Server for Java allows an attacker to execute arbitrary OS commands without having the required permissions, known as escalation of privileges vulnerability. Potential impact is total compromise of confidentiality, integrity and availability of server OS.

Available fix and Supported packages

  • SR-UI | 7.20 | 7.20
  • SR-UI | 7.30 | 7.30
  • SR-UI | 7.31 | 7.31
  • SR-UI | 7.40 | 7.40
  • SR-UI | 7.50 | 7.50
  • SR UI 7.20 | SP009 | 000005
  • SR UI 7.30 | SP018 | 000002
  • SR UI 7.30 | SP019 | 000002
  • SR UI 7.30 | SP020 | 000001
  • SR UI 7.30 | SP021 | 000000
  • SR UI 7.31 | SP022 | 000002
  • SR UI 7.31 | SP023 | 000002
  • SR UI 7.31 | SP024 | 000002
  • SR UI 7.31 | SP025 | 000001
  • SR UI 7.31 | SP026 | 000001
  • SR UI 7.31 | SP027 | 000001
  • SR UI 7.31 | SP028 | 000000
  • SR UI 7.40 | SP017 | 000002
  • SR UI 7.40 | SP018 | 000002
  • SR UI 7.40 | SP019 | 000002
  • SR UI 7.40 | SP020 | 000001
  • SR UI 7.40 | SP021 | 000001
  • SR UI 7.40 | SP022 | 000001
  • SR UI 7.40 | SP023 | 000000
  • SR UI 7.50 | SP013 | 000002

Affected component

    BC-ESI-UDDI
    UDDI Server

CVSS

Score: 9.1
CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Exploit

Detailed vulnerability information added to RedRays Security Platform. Contact [email protected] for details.

URL

https://launchpad.support.sap.com/#/notes/2979062

TAGS

#Privilege-escalation
#&160-CVE-2020-26820

How to detect over 4100 vulnerabilities in SAP Systems?

More to explorer

Initiating SAP Penetration Testing

►   Pentest, short for penetration testing, refers to a set of processes that simulate an attacker’s actions to identify security vulnerabilities. Companies

SAP Security Patch Day RedRays

May 2024 SAP Security Patch Day

Vulnerability: Multiple vulnerabilities in SAP CX Commerce SAP Component: CEC-SCC-PLA-PL CVE ID: CVE-2019-17495 CVSS Score: 9.8 CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Category: Program error