Skip links

CVE-2020-6366 Missing XML Validation in SAP NetWeaver (Compare Systems), SAP security note 2969457

Description

SAP NetWeaver (Compare Systems) does not sufficiently validate uploaded XML documents. An attacker with administrative privileges can retrieve arbitrary files including files on OS level from the server and/or can execute a denial-of-service.

Available fix and Supported packages

  • LMNWABASICMBEAN | 7.20 | 7.20
  • LMNWABASICMBEAN | 7.30 | 7.30
  • LMNWABASICMBEAN | 7.31 | 7.31
  • LMNWABASICMBEAN | 7.40 | 7.40
  • LMNWABASICMBEAN | 7.50 | 7.50
  • LM NWA BASIC MBEAN 7.20 | SP009 | 000002
  • LM NWA BASIC MBEAN 7.30 | SP015 | 000002
  • LM NWA BASIC MBEAN 7.30 | SP016 | 000002
  • LM NWA BASIC MBEAN 7.30 | SP017 | 000002
  • LM NWA BASIC MBEAN 7.30 | SP018 | 000002
  • LM NWA BASIC MBEAN 7.30 | SP019 | 000002
  • LM NWA BASIC MBEAN 7.30 | SP020 | 000001
  • LM NWA BASIC MBEAN 7.30 | SP021 | 000000
  • LM NWA BASIC MBEAN 7.31 | SP022 | 000003
  • LM NWA BASIC MBEAN 7.31 | SP023 | 000002
  • LM NWA BASIC MBEAN 7.31 | SP024 | 000002
  • LM NWA BASIC MBEAN 7.31 | SP025 | 000001
  • LM NWA BASIC MBEAN 7.31 | SP026 | 000001
  • LM NWA BASIC MBEAN 7.31 | SP027 | 000001
  • LM NWA BASIC MBEAN 7.31 | SP028 | 000000
  • LM NWA BASIC MBEAN 7.40 | SP017 | 000003
  • LM NWA BASIC MBEAN 7.40 | SP018 | 000002
  • LM NWA BASIC MBEAN 7.40 | SP019 | 000002
  • LM NWA BASIC MBEAN 7.40 | SP020 | 000001
  • LM NWA BASIC MBEAN 7.40 | SP021 | 000001

Affected component

    BC-JAS-ADM-MON
    Monitoring

CVSS

Score: 7.6
CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L

Exploit

Exploit is not available.
For detailed information please contact the mail [email protected]

URL

https://launchpad.support.sap.com/#/notes/2969457

TAGS

#&65279-XXE
#XML-input-parsing
#&160-&160-CVE-2020-6366