CVE-2020-26816

Summary

SAP AS JAVA (Key Storage Service), versions - 7.10, 7.11, 7.20 ,7.30, 7.31, 7.40, 7.50, has the key material which is stored in the SAP NetWeaver AS Java Key Storage service stored in the database in the DER encoded format and is not encrypted. This enables an attacker who has administrator access to the SAP NetWeaver AS Java to decode the keys because of missing encryption and get some application data and client credentials of adjacent systems. This highly impacts Confidentiality as information disclosed could contain client credentials of adjacent systems.

Affected Software

VendorProductVersion RangeStatus
SAP SESAP NetWeaver AS JAVA (Key Storage Service)< 7.10affected
SAP SESAP NetWeaver AS JAVA (Key Storage Service)< 7.11affected
SAP SESAP NetWeaver AS JAVA (Key Storage Service)< 7.20affected
SAP SESAP NetWeaver AS JAVA (Key Storage Service)< 7.30affected
SAP SESAP NetWeaver AS JAVA (Key Storage Service)< 7.31affected
SAP SESAP NetWeaver AS JAVA (Key Storage Service)< 7.40affected
SAP SESAP NetWeaver AS JAVA (Key Storage Service)< 7.50affected

Weaknesses

  • Missing Encryption

ADP Enrichment

CVE Program Container

Additional References

References