Skip links
RedRays
Published in: sap note

CVE-2020-6366 Missing XML Validation in SAP NetWeaver (Compare Systems), SAP security note 2969457

Author
Published on:

Description

SAP NetWeaver (Compare Systems) does not sufficiently validate uploaded XML documents. An attacker with administrative privileges can retrieve arbitrary files including files on OS level from the server and/or can execute a denial-of-service.

Available fix and Supported packages

  • LMNWABASICMBEAN | 7.20 | 7.20
  • LMNWABASICMBEAN | 7.30 | 7.30
  • LMNWABASICMBEAN | 7.31 | 7.31
  • LMNWABASICMBEAN | 7.40 | 7.40
  • LMNWABASICMBEAN | 7.50 | 7.50
  • LM NWA BASIC MBEAN 7.20 | SP009 | 000002
  • LM NWA BASIC MBEAN 7.30 | SP015 | 000002
  • LM NWA BASIC MBEAN 7.30 | SP016 | 000002
  • LM NWA BASIC MBEAN 7.30 | SP017 | 000002
  • LM NWA BASIC MBEAN 7.30 | SP018 | 000002
  • LM NWA BASIC MBEAN 7.30 | SP019 | 000002
  • LM NWA BASIC MBEAN 7.30 | SP020 | 000001
  • LM NWA BASIC MBEAN 7.30 | SP021 | 000000
  • LM NWA BASIC MBEAN 7.31 | SP022 | 000003
  • LM NWA BASIC MBEAN 7.31 | SP023 | 000002
  • LM NWA BASIC MBEAN 7.31 | SP024 | 000002
  • LM NWA BASIC MBEAN 7.31 | SP025 | 000001
  • LM NWA BASIC MBEAN 7.31 | SP026 | 000001
  • LM NWA BASIC MBEAN 7.31 | SP027 | 000001
  • LM NWA BASIC MBEAN 7.31 | SP028 | 000000
  • LM NWA BASIC MBEAN 7.40 | SP017 | 000003
  • LM NWA BASIC MBEAN 7.40 | SP018 | 000002
  • LM NWA BASIC MBEAN 7.40 | SP019 | 000002
  • LM NWA BASIC MBEAN 7.40 | SP020 | 000001
  • LM NWA BASIC MBEAN 7.40 | SP021 | 000001

Affected component

    BC-JAS-ADM-MON
    Monitoring

CVSS

Score: 7.6
CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L

Exploit

Exploit is not available.
For detailed information please contact the mail [email protected]

URL

https://launchpad.support.sap.com/#/notes/2969457

TAGS

#&65279-XXE
#XML-input-parsing
#&160-&160-CVE-2020-6366

You may also like