CVE-2020-6238 - OpenCVE

SAP Commerce, versions - 6.6, 6.7, 1808, 1811, 1905, does not process XML input securely in the Rest API from Servlet xyformsweb, leading to Missing XML Validation. This affects confidentiality and availability (partially) of SAP Commerce.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact None

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact None

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact Partial

AV:N/AC:L/Au:N/C:P/I:N/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Sap	Commerce Cloud

Configuration 1 [-]

OR	cpe:2.3:a:sap:commerce_cloud:6.6:::::::*
	cpe:2.3:a:sap:commerce_cloud:6.7:::::::*
	cpe:2.3:a:sap:commerce_cloud:1808:::::::*
	cpe:2.3:a:sap:commerce_cloud:1811:::::::*
	cpe:2.3:a:sap:commerce_cloud:1905:::::::*

No data.

References

Link	Providers
https://launchpad.support.sap.com/#/notes/2904480
https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=544214202

History

No history.

MITRE

Status: PUBLISHED

Assigner: sap

Published: 2020-04-14T18:39:02

Updated: 2024-08-04T08:55:22.193Z

Reserved: 2020-01-08T00:00:00

Link: CVE-2020-6238

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2020-04-14T19:15:18.437

Modified: 2022-10-06T18:09:26.297

Link: CVE-2020-6238

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "SAP Commerce", "vendor": "SAP SE", "versions": [{"status": "affected", "version": "< 6.6"}, {"status": "affected", "version": "< 6.7"}, {"status": "affected", "version": "< 1808"}, {"status": "affected", "version": "< 1811"}, {"status": "affected", "version": "< 1905"}]}], "descriptions": [{"lang": "en", "value": "SAP Commerce, versions - 6.6, 6.7, 1808, 1811, 1905, does not process XML input securely in the Rest API from Servlet xyformsweb, leading to Missing XML Validation. This affects confidentiality and availability (partially) of SAP Commerce."}], "metrics": [{"cvssV3_0": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 9.3, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L", "version": "3.0"}}], "problemTypes": [{"descriptions": [{"description": "Missing XML Validation", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2020-04-14T18:39:02", "orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "shortName": "sap"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=544214202"}, {"tags": ["x_refsource_MISC"], "url": "https://launchpad.support.sap.com/#/notes/2904480"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cna@sap.com", "ID": "CVE-2020-6238", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "SAP Commerce", "version": {"version_data": [{"version_name": "<", "version_value": "6.6"}, {"version_name": "<", "version_value": "6.7"}, {"version_name": "<", "version_value": "1808"}, {"version_name": "<", "version_value": "1811"}, {"version_name": "<", "version_value": "1905"}]}}]}, "vendor_name": "SAP SE"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "SAP Commerce, versions - 6.6, 6.7, 1808, 1811, 1905, does not process XML input securely in the Rest API from Servlet xyformsweb, leading to Missing XML Validation. This affects confidentiality and availability (partially) of SAP Commerce."}]}, "impact": {"cvss": {"baseScore": "9.3", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L", "version": "3.0"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Missing XML Validation"}]}]}, "references": {"reference_data": [{"name": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=544214202", "refsource": "MISC", "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=544214202"}, {"name": "https://launchpad.support.sap.com/#/notes/2904480", "refsource": "MISC", "url": "https://launchpad.support.sap.com/#/notes/2904480"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T08:55:22.193Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=544214202"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://launchpad.support.sap.com/#/notes/2904480"}]}]}, "cveMetadata": {"assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "assignerShortName": "sap", "cveId": "CVE-2020-6238", "datePublished": "2020-04-14T18:39:02", "dateReserved": "2020-01-08T00:00:00", "dateUpdated": "2024-08-04T08:55:22.193Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:sap:commerce_cloud:6.6:*:*:*:*:*:*:*", "matchCriteriaId": "CB45CC6E-1837-4B0A-9F78-730161506D6D", "vulnerable": true}, {"criteria": "cpe:2.3:a:sap:commerce_cloud:6.7:*:*:*:*:*:*:*", "matchCriteriaId": "F32D694A-18E7-40E3-8EE0-9A240DED7A34", "vulnerable": true}, {"criteria": "cpe:2.3:a:sap:commerce_cloud:1808:*:*:*:*:*:*:*", "matchCriteriaId": "5649AB0A-1D84-4716-A178-F196A1DA9C1A", "vulnerable": true}, {"criteria": "cpe:2.3:a:sap:commerce_cloud:1811:*:*:*:*:*:*:*", "matchCriteriaId": "A9DE60D1-95FF-4220-AE63-2C351781FDA1", "vulnerable": true}, {"criteria": "cpe:2.3:a:sap:commerce_cloud:1905:*:*:*:*:*:*:*", "matchCriteriaId": "19E11B22-F514-48D6-B78F-8A64CE1BA364", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "SAP Commerce, versions - 6.6, 6.7, 1808, 1811, 1905, does not process XML input securely in the Rest API from Servlet xyformsweb, leading to Missing XML Validation. This affects confidentiality and availability (partially) of SAP Commerce."}, {"lang": "es", "value": "SAP Commerce, versiones 6.6, 6.7, 1808, 1811, 1905, no procesa una entrada XML de forma segura en la API Rest del Servlet xyformsweb, conllevando a una Falta de Comprobaci\u00f3n XML. Esto afecta la confidencialidad y la disponibilidad (parcialmente) de SAP Commerce."}], "id": "CVE-2020-6238", "lastModified": "2022-10-06T18:09:26.297", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 6.4, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 9.3, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 4.7, "source": "cna@sap.com", "type": "Secondary"}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 9.3, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 4.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-04-14T19:15:18.437", "references": [{"source": "cna@sap.com", "tags": ["Permissions Required", "Vendor Advisory"], "url": "https://launchpad.support.sap.com/#/notes/2904480"}, {"source": "cna@sap.com", "tags": ["Broken Link", "Vendor Advisory"], "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=544214202"}], "sourceIdentifier": "cna@sap.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-611"}], "source": "nvd@nist.gov", "type": "Primary"}]}