CVE-2020-6287 is a vulnerability in SAP Netweaver Application Server Java
Published on July 14, 2020
SAP NetWeaver AS JAVA (LM Configuration Wizard), versions - 7.30, 7.31, 7.40, 7.50, does not perform an authentication check which allows an attacker without prior authentication to execute configuration tasks to perform critical actions against the SAP Java system, including the ability to create an administrative user, and therefore compromising Confidentiality, Integrity and Availability of the system, leading to Missing Authentication Check.
Known Exploited Vulnerability
This SAP Netweaver JAVA remote unauthenticated access vulnerability is part of CISA's list of Known Exploited Vulnerabilities. SAP NetWeaver AS JAVA (LM Configuration Wizard), versions - 7.30, 7.31, 7.40, 7.50, does not perform an authentication check which allows an attacker without prior authentication to execute configuration tasks to perform critical actions against the SAP Java system.
The following remediation steps are recommended / required by May 3, 2022: Apply updates per vendor instructions.
Weakness Type
Missing Authentication for Critical Function
The software does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.
Products Associated with CVE-2020-6287
Want to know whenever a new CVE is published for SAP Netweaver Application Server Java? stack.watch will email you.
Affected Versions
SAP SE SAP NetWeaver AS JAVA (LM Configuration Wizard):- Version < 7.30 is affected.
- Version < 7.31 is affected.
- Version < 7.40 is affected.
- Version < 7.50 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.