CVE-2020-26816
CVSS V2 Low 2.7
CVSS V3 Medium 4.5
Description
SAP AS JAVA (Key Storage Service), versions - 7.10, 7.11, 7.20 ,7.30, 7.31, 7.40, 7.50, has the key material which is stored in the SAP NetWeaver AS Java Key Storage service stored in the database in the DER encoded format and is not encrypted. This enables an attacker who has administrator access to the SAP NetWeaver AS Java to decode the keys because of missing encryption and get some application data and client credentials of adjacent systems. This highly impacts Confidentiality as information disclosed could contain client credentials of adjacent systems.
Overview
- CVE ID
- CVE-2020-26816
- Assigner
- cna@sap.com
- Vulnerability Status
- Analyzed
- Published Version
- 2020-12-09T17:15:30
- Last Modified Date
- 2021-07-21T11:39:23
Weakness Enumerations
CPE Configuration (Product)
| CPE | Vulnerable | Operator | Version Start | Version End |
|---|---|---|---|---|
| cpe:2.3:a:sap:netweaver_application_server_java:7.10:*:*:*:*:*:*:* | 1 | OR | ||
| cpe:2.3:a:sap:netweaver_application_server_java:7.11:*:*:*:*:*:*:* | 1 | OR | ||
| cpe:2.3:a:sap:netweaver_application_server_java:7.20:*:*:*:*:*:*:* | 1 | OR | ||
| cpe:2.3:a:sap:netweaver_application_server_java:7.30:*:*:*:*:*:*:* | 1 | OR | ||
| cpe:2.3:a:sap:netweaver_application_server_java:7.31:*:*:*:*:*:*:* | 1 | OR | ||
| cpe:2.3:a:sap:netweaver_application_server_java:7.40:*:*:*:*:*:*:* | 1 | OR | ||
| cpe:2.3:a:sap:netweaver_application_server_java:7.50:*:*:*:*:*:*:* | 1 | OR |
CVSS Version 2
- Version
- 2.0
- Vector String
- AV:A/AC:L/Au:S/C:P/I:N/A:N
- Access Vector
- ADJACENT_NETWORK
- Access Compatibility
- LOW
- Authentication
- SINGLE
- Confidentiality Impact
- PARTIAL
- Integrity Impact
- NONE
- Availability Impact
- NONE
- Base Score
- 2.7
- Severity
- LOW
- Exploitability Score
- 5.1
- Impact Score
- 2.9
CVSS Version 3
- Version
- 3.1
- Vector String
- CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
- Attack Vector
- ADJACENT_NETWORK
- Attack Compatibility
- LOW
- Privileges Required
- HIGH
- User Interaction
- NONE
- Scope
- UNCHANGED
- Confidentiality Impact
- HIGH
- Availability Impact
- NONE
- Base Score
- 4.5
- Base Severity
- MEDIUM
- Exploitability Score
- 0.9
- Impact Score
- 3.6
References
| Reference URL | Reference Tags |
|---|---|
| https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=564757079 | Vendor Advisory |
| https://launchpad.support.sap.com/#/notes/2971163 | Permissions Required |
Sources
| Source Name | Source URL |
|---|---|
| NIST | https://nvd.nist.gov/vuln/detail/CVE-2020-26816 |
| MITRE | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26816 |
History
| Created | Old Value | New Value | Data Type | Notes |
|---|---|---|---|---|
| 2022-05-10 07:04:08 | Added to TrackCVE | |||
| 2022-12-05 17:50:26 | 2020-12-09T17:15Z | 2020-12-09T17:15:30 | CVE Published Date | updated |
| 2022-12-05 17:50:26 | 2021-07-21T11:39:23 | CVE Modified Date | updated | |
| 2022-12-05 17:50:26 | Analyzed | Vulnerability Status | updated |