VDB
GSD-2020-6287
GSD-2020-6287
PUBLISHED
CVSS 10 CRITICAL
SAP NetWeaver AS JAVA (LM Configuration Wizard), versions - 7.30, 7.31, 7.40, 7.50, does not perform an authentication check which allows an attacker without prior authentication to execute configuration tasks to perform critical actions against the SAP Java system, including the ability to create an administrative user, and therefore compromising Confidentiality, Integrity and Availability of the system, leading to Missing Authentication Check.
Risk Scores
CVSS v3.0
10
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| SAP SE | SAP NetWeaver AS JAVA (LM Configuration Wizard) | < 7.30, < 7.40, < 7.50 |
Timeline
- Apr 17, 2019 CVE Published
- Jul 23, 2020 PoC Published
- Nov 8, 2021 PoC Published
- Nov 20, 2021 PoC Published
- Nov 14, 2024 PoC Published
- Dec 24, 2024 PoC Published
- Jan 12, 2025 PoC Published
- Jan 26, 2025 PoC Published
- Feb 6, 2025 PoC Published
- Feb 23, 2025 PoC Published
- Feb 23, 2025 PoC Published
- Jun 5, 2025 PoC Published
References
- https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=552599675 url
- https://launchpad.support.sap.com/#/notes/2934135 url
- https://www.onapsis.com/recon-sap-cyber-security-vulnerability url
- 20210405 Onapsis Security Advisory 2021-0003: [CVE-2020-6287] - [SAP RECON] SAP JAVA: Unauthenticated execution of configuration tasks mailing-list
- http://packetstormsecurity.com/files/162085/SAP-JAVA-Configuration-Task-Execution.html url
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-6287 url