CVE-2020-26832 Information

Description

SAP AS ABAP (SAP Landscape Transformation) versions - 2011_1_620 2011_1_640 2011_1_700 2011_1_710 2011_1_730 2011_1_731 2011_1_752 2020 and SAP S4 HANA (SAP Landscape Transformation) versions - 101 102 103 104 105 allows a high privileged user to execute a RFC function module to which access should be restricted however due to missing authorization an attacker can get access to some sensitive internal information of vulnerable SAP system or to make vulnerable SAP systems completely unavailable.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:H

Reference

https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=564757079 https://launchpad.support.sap.com/#/notes/2993132 http://seclists.org/fulldisclosure/2022/May/42 http://packetstormsecurity.com/files/167229/SAP-Application-Server-ABAP-ABAP-Platform-Code-Injection-SQL-Injection-Missing-Authorization.html

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction Required

HIGH

Scope

NONE

Confidentiality Impact

CHANGED

Integrity Impact

LOW

Availability Impact

NONE

Base Score

HIGH

Base Severity

7.6