Security News > 2020 > December > SAP Releases Four 'Hot News' Notes on December 2020 Patch Day
SAP this week released eleven security notes as part of its December 2020 Security Patch Day, including four that were rated 'hot news.
Featuring a CVSS score of 10, the most important of the notes addresses a missing authentication check vulnerability in SAP NetWeaver AS JAVA. Identified by security researchers at Onapsis, a firm that specializes in securing Oracle and SAP applications, the issue could allow an unauthenticated attacker to perform privileged actions over a TCP connection.
By abusing these actions, the attacker could "Gain full privileged access to the affected SAP system or perform a Denial-of-Service attack rendering the SAP system unusable," Onapsis says.
The note was initially released one day after the November Patch Day.
SAP's Security Patch Day advisory for December 2020 also details six medium- and one low-priority note dealing with unrestricted file upload, formula injection, missing encryption, XSS, content spoofing, improper authentication, and open redirect vulnerabilities.