Lucene search

SapCVE-2020-6188

HistoryFeb 12, 2020 - 8:15 p.m.

CVE-2020-6188

2020-02-1220:15:14

CWE-862

sap

web.nvd.nist.gov

cve-2020-6188

vat pro-rata

sap erp

sap s/4 hana

missing authorization check

nvd

CVSS2

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:P/I:P/A:P

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

AI Score

8.5

Confidence

High

EPSS

0.001

Percentile

42.8%

JSON

VAT Pro-Rata reports in SAP ERP (SAP_APPL versions 600, 602, 603, 604, 605, 606, 616 and SAP_FIN versions 617, 618, 700, 720, 730) and SAP S/4 HANA (versions 100, 101, 102, 103, 104) do not perform necessary authorization checks for an authenticated user leading to Missing Authorization Check.

Affected configurations

Nvd

Node

saperpMatch6.0

saps\/4_hanaMatch1511

saps\/4_hanaMatch1610

saps\/4_hanaMatch1709

saps\/4_hanaMatch1809

saps\/4_hanaMatch1909

VendorProductVersionCPE
saperp6.0cpe:2.3:a:sap:erp:6.0:*:*:*:*:*:*:*
saps\/4_hana1511cpe:2.3:a:sap:s\/4_hana:1511:*:*:*:*:*:*:*
saps\/4_hana1610cpe:2.3:a:sap:s\/4_hana:1610:*:*:*:*:*:*:*
saps\/4_hana1709cpe:2.3:a:sap:s\/4_hana:1709:*:*:*:*:*:*:*
saps\/4_hana1809cpe:2.3:a:sap:s\/4_hana:1809:*:*:*:*:*:*:*
saps\/4_hana1909cpe:2.3:a:sap:s\/4_hana:1909:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
sap	erp	6.0	cpe:2.3:a:sap:erp:6.0:::::::*
sap	s\/4_hana	1511	cpe:2.3:a:sap:s\/4_hana:1511:::::::*
sap	s\/4_hana	1610	cpe:2.3:a:sap:s\/4_hana:1610:::::::*
sap	s\/4_hana	1709	cpe:2.3:a:sap:s\/4_hana:1709:::::::*
sap	s\/4_hana	1809	cpe:2.3:a:sap:s\/4_hana:1809:::::::*
sap	s\/4_hana	1909	cpe:2.3:a:sap:s\/4_hana:1909:::::::*

CNA Affected

[
  {
    "product": "SAP ERP (SAP_APPL)",
    "vendor": "SAP SE",
    "versions": [
      {
        "status": "affected",
        "version": "= 6.0"
      },
      {
        "status": "affected",
        "version": "= 6.02"
      },
      {
        "status": "affected",
        "version": "= 6.03"
      },
      {
        "status": "affected",
        "version": "= 6.04"
      },
      {
        "status": "affected",
        "version": "= 6.05"
      },
      {
        "status": "affected",
        "version": "= 6.06"
      },
      {
        "status": "affected",
        "version": "= 6.16"
      }
    ]
  },
  {
    "product": "SAP ERP (SAP_FIN)",
    "vendor": "SAP SE",
    "versions": [
      {
        "status": "affected",
        "version": "= 6.17"
      },
      {
        "status": "affected",
        "version": "= 6.18"
      },
      {
        "status": "affected",
        "version": "= 7.0"
      },
      {
        "status": "affected",
        "version": "= 7.20"
      },
      {
        "status": "affected",
        "version": "= 7.30"
      }
    ]
  },
  {
    "product": "SAP S/4 HANA (S4CORE)",
    "vendor": "SAP SE",
    "versions": [
      {
        "status": "affected",
        "version": "= 1.0"
      },
      {
        "status": "affected",
        "version": "= 1.01"
      },
      {
        "status": "affected",
        "version": "= 1.02"
      },
      {
        "status": "affected",
        "version": "= 1.03"
      },
      {
        "status": "affected",
        "version": "= 1.04"
      }
    ]
  }
]

References

launchpad.support.sap.com/#/notes/2857511

wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=537788812

CVSS2

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:P/I:P/A:P

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

AI Score

8.5

Confidence

High

EPSS

0.001

Percentile

42.8%

JSON

Related for CVE-2020-6188