CVE-2020-26820
Severity CVSS v4.0:
Pending analysis
Type:
CWE-434
Unrestricted Upload of File with Dangerous Type
Publication date:
10/11/2020
Last modified:
01/01/2022
Description
SAP NetWeaver AS JAVA, versions - 7.20, 7.30, 7.31, 7.40, 7.50, allows an attacker who is authenticated as an administrator to use the administrator console, to expose unauthenticated access to the file system and upload a malicious file. The attacker or another user can then use a separate mechanism to execute OS commands through the uploaded file leading to Privilege Escalation and completely compromise the confidentiality, integrity and availability of the server operating system and any application running on it.
Impact
Base Score 3.x
7.20
Severity 3.x
HIGH
Base Score 2.0
9.00
Severity 2.0
HIGH
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:sap:netweaver_application_server_java:7.20:*:*:*:*:*:*:* | ||
| cpe:2.3:a:sap:netweaver_application_server_java:7.30:*:*:*:*:*:*:* | ||
| cpe:2.3:a:sap:netweaver_application_server_java:7.31:*:*:*:*:*:*:* | ||
| cpe:2.3:a:sap:netweaver_application_server_java:7.40:*:*:*:*:*:*:* | ||
| cpe:2.3:a:sap:netweaver_application_server_java:7.50:*:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page