Skip links
Vahagn Vardanian

Vahagn Vardanian

Co-founder and CTO of RedRays

CVE-2020-26838 Code Injection vulnerability in SAP Business Warehouse (Master Data Management) and SAP BW4HANA, SAP security note 2983367

Description

UPDATE 12th January 2021: This note has been re-released with updated ‘validity’, and ‘Support Packages & Patches’ information. We enhanced the validity for all covered codelines to the lowest possible SP-level.

SAP BW Master Data Management and SAP BW4HANA allows an attacker with high privileges ability to submit a crafted request to generate and execute code without requiring any user interaction. These malicious requests could result in the execution of operating system commands that may completely compromise the confidentiality, integrity and availability of the server and any data or other applications running on it.

Available fix and Supported packages

  • DW4CORE | 100 | 100
  • DW4CORE | 200 | 200
  • SAP_BW | 700 | 702
  • SAP_BW | 730 | 730
  • SAP_BW | 731 | 731
  • SAP_BW | 740 | 740
  • SAP_BW | 750 | 755
  • SAP_BW | 782 | 782
  • DW4CORE 200 | SAPK-20007INDW4CORE |
  • DW4CORE 100 | SAPK-10019INDW4CORE |
  • SAP_BW 740 | SAPKW74025 |
  • SAP_BW 755 | SAPK-75501INSAPBW |
  • SAP_BW 750 | SAPK-75020INSAPBW |
  • SAP_BW 751 | SAPK-75112INSAPBW |
  • | SAPK-783BHINSAPBW |
  • SAP_BW 752 | SAPK-75208INSAPBW |
  • SAP_BW 753 | SAPK-75306INSAPBW |
  • SAP_BW 754 | SAPK-75404INSAPBW |
  • SAP_BW 700 | SAPKW70041 |
  • SAP_BW 701 | SAPKW70124 |
  • SAP_BW 702 | SAPKW70224 |
  • SAP_BW 782 | SAPK-78202INSAPBW |
  • SAP_BW 731 | SAPKW73129 |

Affected component

    BW-WHM-DBA-MD
    Master Data

CVSS

Score: 9.1
CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

PoC

Detailed vulnerability information added to RedRays Security Platform. Contact [email protected] for details.

URL

https://launchpad.support.sap.com/#/notes/2983367

TAGS

#Command-Injection
#OS-command-injection
#CVE-2020-26838

Explore More

Special offer for SAP Security Udemy course!

$ 9.99

Join “SAP Security Core Concepts and Security Administration” which is part of the Blackhat course series.