Vulnerabilities > CVE-2020-26832 - Missing Authorization vulnerability in SAP Netweaver Application Server Abap and S/4 Hana
Attack vector
NETWORK Attack complexity
LOW Privileges required
HIGH Confidentiality impact
LOW Integrity impact
NONE Availability impact
HIGH Summary
SAP AS ABAP (SAP Landscape Transformation), versions - 2011_1_620, 2011_1_640, 2011_1_700, 2011_1_710, 2011_1_730, 2011_1_731, 2011_1_752, 2020 and SAP S4 HANA (SAP Landscape Transformation), versions - 101, 102, 103, 104, 105, allows a high privileged user to execute a RFC function module to which access should be restricted, however due to missing authorization an attacker can get access to some sensitive internal information of vulnerable SAP system or to make vulnerable SAP systems completely unavailable.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
References
- https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=564757079
- https://launchpad.support.sap.com/#/notes/2993132
- http://seclists.org/fulldisclosure/2022/May/42
- http://packetstormsecurity.com/files/167229/SAP-Application-Server-ABAP-ABAP-Platform-Code-Injection-SQL-Injection-Missing-Authorization.html