CVE-2020-6285 Information Disclosure in SAP NetWeaver (XMLToolkit for Java), SAP security note 2932473
Description
Under certain conditions SAP XML Toolkit for Java allows an attacker to access arbitrary files which would otherwise be restricted.
Some well-known impacts of Information Disclosure are –
- loss of information and system configuration confidentiality
- information gathering for further exploits and attacks
Available fix and Supported packages
- ENGINEAPI | 7.10 | 7.11
- ENGINEAPI | 7.20 | 7.20
- ENGINEAPI | 7.30 | 7.30
- ENGINEAPI | 7.31 | 7.31
- ENGINEAPI | 7.40 | 7.40
- ENGINEAPI | 7.50 | 7.50
- ENGINEAPI 7.10 | SP024 | 000006
- ENGINEAPI 7.10 | SP025 | 000000
- ENGINEAPI 7.11 | SP018 | 000004
- ENGINEAPI 7.11 | SP019 | 000005
- ENGINEAPI 7.11 | SP020 | 000000
- ENGINEAPI 7.20 | SP009 | 000057
- ENGINEAPI 7.30 | SP019 | 000012
- ENGINEAPI 7.30 | SP020 | 000006
- ENGINEAPI 7.30 | SP021 | 000000
- ENGINEAPI 7.31 | SP022 | 000016
- ENGINEAPI 7.31 | SP023 | 000014
- ENGINEAPI 7.31 | SP024 | 000012
- ENGINEAPI 7.31 | SP025 | 000010
- ENGINEAPI 7.31 | SP026 | 000008
- ENGINEAPI 7.31 | SP027 | 000000
- ENGINEAPI 7.31 | SP028 | 000000
- ENGINEAPI 7.40 | SP017 | 000016
- ENGINEAPI 7.40 | SP018 | 000014
- ENGINEAPI 7.40 | SP019 | 000012
- ENGINEAPI 7.40 | SP020 | 000010
Affected component
- BC-ESI-WS-JAV-RT
Runtime
CVSS
Score: 7.7
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Exploit
Exploit is not available.
For detailed information please contact the mail [email protected]
URL
https://launchpad.support.sap.com/#/notes/2932473