Skip links

CVE-2020-6202 Missing XML Validation in SAP NetWeaver Application Server Java (User Management Engine), SAP security note 2847787

Description

The User Management Engine (UME) does not sufficiently validate the LDAP datasource configuration XML document accepted from an untrusted source.

Some well-known impacts of the vulnerability for missing XML validation are the following:

  • Denial-of-Service conditions in successful exploits

Available fix and Supported packages

  • SERVERCORE | 7.10 | 7.10
  • SERVERCORE | 7.11 | 7.11
  • SERVERCORE | 7.20 | 7.20
  • SERVERCORE | 7.30 | 7.30
  • SERVERCORE | 7.31 | 7.31
  • SERVERCORE | 7.40 | 7.40
  • SERVERCORE | 7.50 | 7.50
  • J2EE ENGINE SERVERCORE 7.10 | SP024 | 000003
  • J2EE ENGINE SERVERCORE 7.10 | SP025 | 000000
  • J2EE ENGINE SERVERCORE 7.11 | SP019 | 000003
  • J2EE ENGINE SERVERCORE 7.11 | SP020 | 000000
  • J2EE ENGINE SERVERCORE 7.20 | SP009 | 000139
  • J2EE ENGINE SERVERCORE 7.30 | SP019 | 000017
  • J2EE ENGINE SERVERCORE 7.30 | SP020 | 000001
  • J2EE ENGINE SERVERCORE 7.30 | SP021 | 000000
  • J2EE ENGINE SERVERCORE 7.31 | SP025 | 000007
  • J2EE ENGINE SERVERCORE 7.31 | SP026 | 000001
  • J2EE ENGINE SERVERCORE 7.31 | SP027 | 000000
  • J2EE ENGINE SERVERCORE 7.40 | SP020 | 000008
  • J2EE ENGINE SERVERCORE 7.40 | SP021 | 000001
  • J2EE ENGINE SERVERCORE 7.40 | SP022 | 000000
  • J2EE ENGINE SERVERCORE 7.50 | SP016 | 000007
  • J2EE ENGINE SERVERCORE 7.50 | SP017 | 000001
  • J2EE ENGINE SERVERCORE 7.50 | SP018 | 000000

Affected component

    BC-JAS-SEC-UME
    User Management Engine

CVSS

Score: 5.5
CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:L

Exploit

Exploit is not available.
For detailed information please contact the mail [email protected]

URL

https://launchpad.support.sap.com/#/notes/2847787

TAGS

#&65279-XXE
#XML-Input-parsing
#&160-CVE-2020-6202