Lucene search

SapCVE-2020-6197

HistoryMar 10, 2020 - 9:15 p.m.

CVE-2020-6197

2020-03-1021:15:13

CWE-613

sap

web.nvd.nist.gov

cve-2020-6197

sap enable now

session tokens

insufficient session expiration

security vulnerability

CVSS2

2.1

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:L/AC:L/Au:N/C:P/I:N/A:N

CVSS3

3.3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

AI Score

Confidence

High

EPSS

Percentile

5.1%

JSON

SAP Enable Now, before version 1908, does not invalidate session tokens in a timely manner. The Insufficient Session Expiration may allow attackers with local access, for instance, to still download the portables.

Affected configurations

Nvd

Node

sapenable_nowRange<1908

VendorProductVersionCPE
sapenable_now*cpe:2.3:a:sap:enable_now:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
sap	enable_now	*	cpe:2.3:a:sap:enable_now::::::::

CNA Affected

[
  {
    "product": "SAP Enable Now",
    "vendor": "SAP SE",
    "versions": [
      {
        "status": "affected",
        "version": "< before version 1908"
      }
    ]
  }
]

References

launchpad.support.sap.com/#/notes/2845363

wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=540935305

CVSS2

2.1

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:L/AC:L/Au:N/C:P/I:N/A:N

CVSS3

3.3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

AI Score

Confidence

High

EPSS

Percentile

5.1%

JSON

Related for CVE-2020-6197