1) Improper Authentication

EUVDB-ID: #VU49920

Risk: High

CVSSv3.1:

CVE-ID: CVE-2020-6198

CWE-ID: CWE-287 - Improper Authentication

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to missing authentication in Diagnostics Agent component. A remote non-authenticated attacker can control all remote functions on the Agent.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

SAP Solution Manager: 7.20

---

CPE2.3

• cpe:2.3:a:sap:sap_solution_manager:7.20:*:*:*:*:*:*:*

External links

http://launchpad.support.sap.com/#/notes/2845377
http://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=540935305

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

2) Missing Authentication for Critical Function

EUVDB-ID: #VU49919

Risk: High

CVSSv3.1:

CVE-ID: CVE-2020-6207

CWE-ID: CWE-306 - Missing Authentication for Critical Function

Exploit availability: Yes

Description

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to absent authentication checks within the User Experience Monitoring component. A remote non-authenticated attacker can compromise all SMDAgents connected to the Solution Manager.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

SAP Solution Manager: 7.20

---

CPE2.3

• cpe:2.3:a:sap:sap_solution_manager:7.20:*:*:*:*:*:*:*

External links

http://launchpad.support.sap.com/#/notes/2890213
http://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=540935305

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?