CVE-2020-6293 - OpenCVE

SAP NetWeaver (Knowledge Management), versions - 7.30, 7.31, 7.40, 7.50, allows an unauthenticated attacker to upload a malicious file and also to access, modify or make unavailable existing files but the impact is limited to the files themselves and is restricted by other policies such as access control lists and other upload file size restrictions, leading to Unrestricted File Upload.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact None

AV:N/AC:L/Au:N/C:P/I:P/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Sap	Netweaver Knowledge Management

Configuration 1 [-]

OR	cpe:2.3:a:sap:netweaver_knowledge_management:7.30:::::::*
	cpe:2.3:a:sap:netweaver_knowledge_management:7.31:::::::*
	cpe:2.3:a:sap:netweaver_knowledge_management:7.40:::::::*
	cpe:2.3:a:sap:netweaver_knowledge_management:7.50:::::::*

No data.

References

Link	Providers
https://launchpad.support.sap.com/#/notes/2938162
https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=552603345

History

No history.

MITRE

Status: PUBLISHED

Assigner: sap

Published: 2020-08-12T13:22:41

Updated: 2024-08-04T08:55:22.260Z

Reserved: 2020-01-08T00:00:00

Link: CVE-2020-6293

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2020-08-12T14:15:13.957

Modified: 2020-08-13T20:30:33.043

Link: CVE-2020-6293

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "SAP NetWeaver (Knowledge Management)", "vendor": "SAP SE", "versions": [{"status": "affected", "version": "< 7.30"}, {"status": "affected", "version": "< 7.31"}, {"status": "affected", "version": "< 7.40"}, {"status": "affected", "version": "< 7.50"}]}], "descriptions": [{"lang": "en", "value": "SAP NetWeaver (Knowledge Management), versions - 7.30, 7.31, 7.40, 7.50, allows an unauthenticated attacker to upload a malicious file and also to access, modify or make unavailable existing files but the impact is limited to the files themselves and is restricted by other policies such as access control lists and other upload file size restrictions, leading to Unrestricted File Upload."}], "metrics": [{"cvssV3_0": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.0"}}], "problemTypes": [{"descriptions": [{"description": "Unrestricted File Upload", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2020-08-12T13:22:41", "orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "shortName": "sap"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=552603345"}, {"tags": ["x_refsource_MISC"], "url": "https://launchpad.support.sap.com/#/notes/2938162"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cna@sap.com", "ID": "CVE-2020-6293", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "SAP NetWeaver (Knowledge Management)", "version": {"version_data": [{"version_name": "<", "version_value": "7.30"}, {"version_name": "<", "version_value": "7.31"}, {"version_name": "<", "version_value": "7.40"}, {"version_name": "<", "version_value": "7.50"}]}}]}, "vendor_name": "SAP SE"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "SAP NetWeaver (Knowledge Management), versions - 7.30, 7.31, 7.40, 7.50, allows an unauthenticated attacker to upload a malicious file and also to access, modify or make unavailable existing files but the impact is limited to the files themselves and is restricted by other policies such as access control lists and other upload file size restrictions, leading to Unrestricted File Upload."}]}, "impact": {"cvss": {"baseScore": "7.3", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.0"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Unrestricted File Upload"}]}]}, "references": {"reference_data": [{"name": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=552603345", "refsource": "MISC", "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=552603345"}, {"name": "https://launchpad.support.sap.com/#/notes/2938162", "refsource": "MISC", "url": "https://launchpad.support.sap.com/#/notes/2938162"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T08:55:22.260Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=552603345"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://launchpad.support.sap.com/#/notes/2938162"}]}]}, "cveMetadata": {"assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "assignerShortName": "sap", "cveId": "CVE-2020-6293", "datePublished": "2020-08-12T13:22:41", "dateReserved": "2020-01-08T00:00:00", "dateUpdated": "2024-08-04T08:55:22.260Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:sap:netweaver_knowledge_management:7.30:*:*:*:*:*:*:*", "matchCriteriaId": "69E7BD55-6020-4CF5-9B1C-AAC6161403E0", "vulnerable": true}, {"criteria": "cpe:2.3:a:sap:netweaver_knowledge_management:7.31:*:*:*:*:*:*:*", "matchCriteriaId": "F6A9823F-8736-44E1-8F51-7149236A85C2", "vulnerable": true}, {"criteria": "cpe:2.3:a:sap:netweaver_knowledge_management:7.40:*:*:*:*:*:*:*", "matchCriteriaId": "67365283-2C5E-448E-A9F7-8AA033B57F67", "vulnerable": true}, {"criteria": "cpe:2.3:a:sap:netweaver_knowledge_management:7.50:*:*:*:*:*:*:*", "matchCriteriaId": "95298857-D440-4323-ACAE-A1097DBC5C13", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "SAP NetWeaver (Knowledge Management), versions - 7.30, 7.31, 7.40, 7.50, allows an unauthenticated attacker to upload a malicious file and also to access, modify or make unavailable existing files but the impact is limited to the files themselves and is restricted by other policies such as access control lists and other upload file size restrictions, leading to Unrestricted File Upload."}, {"lang": "es", "value": "SAP NetWeaver (Knowledge Management), versiones - 7.30, 7.31, 7.40, 7.50, permite a un atacante no autenticado cargar un archivo malicioso y tambi\u00e9n acceder, modificar o hacer que los archivos existentes no est\u00e9n disponibles, pero el impacto es limitado a los archivos en s\u00ed y est\u00e1 restringido por otras pol\u00edticas, tales como listas de control de acceso y otras restricciones de tama\u00f1o de archivo de carga, conllevando a una carga de Archivos Sin Restricciones"}], "id": "CVE-2020-6293", "lastModified": "2020-08-13T20:30:33.043", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 6.4, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 3.4, "source": "cna@sap.com", "type": "Secondary"}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 2.5, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-08-12T14:15:13.957", "references": [{"source": "cna@sap.com", "tags": ["Permissions Required"], "url": "https://launchpad.support.sap.com/#/notes/2938162"}, {"source": "cna@sap.com", "tags": ["Vendor Advisory"], "url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=552603345"}], "sourceIdentifier": "cna@sap.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-434"}], "source": "nvd@nist.gov", "type": "Primary"}]}