CVE-2020-6225

Summary

SAP NetWeaver (Knowledge Management), versions (KMC-CM - 7.00, 7.01, 7.02, 7.30, 7.31, 7.40, 7.50 and KMC-WPC 7.30, 7.31, 7.40, 7.50), does not sufficiently validate path information provided by users, thus characters representing traverse to parent directory are passed through to the file APIs, allowing the attacker to overwrite, delete, or corrupt arbitrary files on the remote server, leading to Path Traversal.

Affected Software

VendorProductVersion RangeStatus
SAP SESAP NetWeaver (Knowledge Management) (KMC-CM)< 7.00affected
SAP SESAP NetWeaver (Knowledge Management) (KMC-CM)< 7.01affected
SAP SESAP NetWeaver (Knowledge Management) (KMC-CM)< 7.02affected
SAP SESAP NetWeaver (Knowledge Management) (KMC-CM)< 7.30affected
SAP SESAP NetWeaver (Knowledge Management) (KMC-CM)< 7.31affected
SAP SESAP NetWeaver (Knowledge Management) (KMC-CM)< 7.40affected
SAP SESAP NetWeaver (Knowledge Management) (KMC-CM)< 7.50affected
SAP SESAP NetWeaver (Knowledge Management) (KMC-WPC)< 7.30affected
SAP SESAP NetWeaver (Knowledge Management) (KMC-WPC)< 7.31affected
SAP SESAP NetWeaver (Knowledge Management) (KMC-WPC)< 7.40affected
SAP SESAP NetWeaver (Knowledge Management) (KMC-WPC)< 7.50affected

Weaknesses

  • Path Traversal

ADP Enrichment

CVE Program Container

Additional References

References