CVE-2020-26832

Public Exploit

Description

SAP AS ABAP (SAP Landscape Transformation), versions - 2011_1_620, 2011_1_640, 2011_1_700, 2011_1_710, 2011_1_730, 2011_1_731, 2011_1_752, 2020 and SAP S4 HANA (SAP Landscape Transformation), versions - 101, 102, 103, 104, 105, allows a high privileged user to execute a RFC function module to which access should be restricted, however due to missing authorization an attacker can get access to some sensitive internal information of vulnerable SAP system or to make vulnerable SAP systems completely unavailable.

References

Link	Tags
https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=564757079	vendor advisory
https://launchpad.support.sap.com/#/notes/2993132	permissions required
http://seclists.org/fulldisclosure/2022/May/42	mailing list third party advisory exploit
http://packetstormsecurity.com/files/167229/SAP-Application-Server-ABAP-ABAP-Platform-Code-Injection-SQL-Injection-Missing-Authorization.html	third party advisory vdb entry exploit

Frequently Asked Questions

What is the severity of CVE-2020-26832?: CVE-2020-26832 has been scored as a high severity vulnerability.
How to fix CVE-2020-26832?: To fix CVE-2020-26832, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2020-26832 being actively exploited in the wild?: It is possible that CVE-2020-26832 is being exploited or will be exploited in a near future based on public information. According to its EPSS score, there is a ~1% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2020-26832?: CVE-2020-26832 affects SAP SE SAP NetWeaver AS ABAP (SAP Landscape Transformation), SAP SE SAP S4 HANA (SAP Landscape Transformation).

Description

Category

CWE-862 – Missing Authorization

References

Frequently Asked Questions