Multiple vulnerabilities in SAP Disclosure Management

Published: 2020-07-14

Risk	Medium
Patch available	YES
Number of vulnerabilities	5
CVE-ID	CVE-2020-6267 CVE-2020-6289 CVE-2020-6290 CVE-2020-6291 CVE-2020-6292
CWE-ID	CWE-264
Exploitation vector	Network
Public exploit	Public exploit code for vulnerability #1 is available. Public exploit code for vulnerability #2 is available. Public exploit code for vulnerability #3 is available. Public exploit code for vulnerability #4 is available. Public exploit code for vulnerability #5 is available.
Vulnerable software Subscribe	SAP Disclosure Management Web applications / Remote management & hosting panels
Vendor	SAP

Security Bulletin

This security bulletin contains information about 5 vulnerabilities.

1) Permissions, Privileges, and Access Controls

EUVDB-ID: #VU29718

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2020-6267

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a remote attacker to bypass certain security restrictions.

The vulnerability exists due to unspecified error within the SAP Disclosure Management. A remote non-authenticated attacker can gain unauthorized access to the application.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

SAP Disclosure Management: 10.01

CPE2.3

cpe:2.3:a:sap:sap_disclosure_management:10.01:*:*:*:*:*:*:*

External links

http://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=552599675

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

2) Permissions, Privileges, and Access Controls

EUVDB-ID: #VU29719

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2020-6289

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a remote attacker to bypass certain security restrictions.

The vulnerability exists due to unspecified error within the SAP Disclosure Management. A remote non-authenticated attacker can gain unauthorized access to the application.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

SAP Disclosure Management: 10.01

CPE2.3

cpe:2.3:a:sap:sap_disclosure_management:10.01:*:*:*:*:*:*:*

External links

http://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=552599675

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

3) Permissions, Privileges, and Access Controls

EUVDB-ID: #VU29720

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2020-6290

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a remote attacker to bypass certain security restrictions.

The vulnerability exists due to unspecified error within the SAP Disclosure Management. A remote non-authenticated attacker can gain unauthorized access to the application.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

SAP Disclosure Management: 10.01

CPE2.3

cpe:2.3:a:sap:sap_disclosure_management:10.01:*:*:*:*:*:*:*

External links

http://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=552599675

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

4) Permissions, Privileges, and Access Controls

EUVDB-ID: #VU29721

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2020-6291

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a remote attacker to bypass certain security restrictions.

The vulnerability exists due to unspecified error within the SAP Disclosure Management. A remote non-authenticated attacker can gain unauthorized access to the application.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

SAP Disclosure Management: 10.01

CPE2.3

cpe:2.3:a:sap:sap_disclosure_management:10.01:*:*:*:*:*:*:*

External links

http://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=552599675

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

5) Permissions, Privileges, and Access Controls

EUVDB-ID: #VU29722

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2020-6292

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a remote attacker to bypass certain security restrictions.

The vulnerability exists due to unspecified error within the SAP Disclosure Management. A remote non-authenticated attacker can gain unauthorized access to the application.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

SAP Disclosure Management: 10.01

CPE2.3

cpe:2.3:a:sap:sap_disclosure_management:10.01:*:*:*:*:*:*:*

External links

http://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=552599675

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?