CVE-2020-6225
9.1
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L
Summary
SAP NetWeaver (Knowledge Management), versions (KMC-CM - 7.00, 7.01, 7.02, 7.30, 7.31, 7.40, 7.50 and KMC-WPC 7.30, 7.31, 7.40, 7.50), does not sufficiently validate path information provided by users, thus characters representing traverse to parent directory are passed through to the file APIs, allowing the attacker to overwrite, delete, or corrupt arbitrary files on the remote server, leading to Path Traversal.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| SAP SE | SAP NetWeaver (Knowledge Management) (KMC-CM) | < 7.00 | affected |
| SAP SE | SAP NetWeaver (Knowledge Management) (KMC-CM) | < 7.01 | affected |
| SAP SE | SAP NetWeaver (Knowledge Management) (KMC-CM) | < 7.02 | affected |
| SAP SE | SAP NetWeaver (Knowledge Management) (KMC-CM) | < 7.30 | affected |
| SAP SE | SAP NetWeaver (Knowledge Management) (KMC-CM) | < 7.31 | affected |
| SAP SE | SAP NetWeaver (Knowledge Management) (KMC-CM) | < 7.40 | affected |
| SAP SE | SAP NetWeaver (Knowledge Management) (KMC-CM) | < 7.50 | affected |
| SAP SE | SAP NetWeaver (Knowledge Management) (KMC-WPC) | < 7.30 | affected |
| SAP SE | SAP NetWeaver (Knowledge Management) (KMC-WPC) | < 7.31 | affected |
| SAP SE | SAP NetWeaver (Knowledge Management) (KMC-WPC) | < 7.40 | affected |
| SAP SE | SAP NetWeaver (Knowledge Management) (KMC-WPC) | < 7.50 | affected |
Weaknesses
- Path Traversal
ADP Enrichment
CVE Program Container
Additional References
- https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=544214202
- https://launchpad.support.sap.com/#/notes/2896682
References
- https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=544214202
- https://launchpad.support.sap.com/#/notes/2896682
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.