Authorization Bypass in SAP AS ABAP and S4 HANA Products by SAP
CVE-2020-26832

7.6HIGH

Key Information:

Vendor: SAP
Status: SAP Netweaver As Abap (SAP Landscape Transformation); SAP S4 Hana (SAP Landscape Transformation)
Vendor: CVE Published:; 9 December 2020

🔔 Create SAP Vulnerability Alert

What is CVE-2020-26832?

This vulnerability in SAP AS ABAP and SAP S4 HANA permits high privileged users to execute Remote Function Call (RFC) function modules without the necessary authorization, potentially exposing sensitive internal information or rendering the affected SAP systems inoperable. Attackers can exploit this flaw to bypass access controls, resulting in unauthorized data exposure and service disruption.

Affected Version(s)

SAP NetWeaver AS ABAP (SAP Landscape Transformation) < 2011_1_620 < 2011_1_620

SAP NetWeaver AS ABAP (SAP Landscape Transformation) < 2011_1_640 < 2011_1_640

SAP NetWeaver AS ABAP (SAP Landscape Transformation) < 2011_1_700 < 2011_1_700

References

https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageI...

x_refsource_MISC

https://launchpad.support.sap.com/#/notes/2993132

x_refsource_MISC

http://seclists.org/fulldisclosure/2022/May/42

mailing-listx_refsource_FULLDISC

CVSS V3.1

Score:

7.6

Severity:

HIGH

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 9, 2020
Vulnerability Reserved
Oct 7, 2020

.