Software Affected
•SAP Application Server ABAP, Versions - 2008_1_46C, 2008_1_620,
2008_1_640, 2008_1_700, 2008_1_710, 740
•SAP Business Client, Version - 6.5
•SAP Business Objects Business Intelligence Platform (Live Data
Connect), Versions - 1.0, 2.0, 2.x
•SAP Adaptive Server Enterprise (Backup Server), Version - 16.0
•SAP Business Objects Business Intelligence Platform (CrystalReports
WebForm Viewer), Versions - 4.1, 4.2
•SAP Adaptive Server Enterprise (Cockpit), Version - 16.0
•SAP Adaptive Server Enterprise (XP Server on Windows Platform),
Versions - 15.7, 16.0
•SAP Master Data Governance, Versions - S4CORE 101; S4FND 102, 103, 104;
SAP_BS_FND 748
•SAP Adaptive Server Enterprise (Web Services), Versions - 15.7, 16.0
•SAP Business Client, Version - 7.0
•SAP Business Objects Business Intelligence Platform, Version - 4.2
•SAP Adaptive Server Enterprise, Versions - 15.7, 16.0
•SAP Enterprise Threat Detection, Versions - 1.0, 2.0
•SAP Master Data Governance, Versions - 748, 749, 750, 751, 752, 800,
801, 802, 803, 804
•SAP Business Objects Business Intelligence Platform (CMC and BI
launchpad), Version - 4.2
•SAP Plant Connectivity, Versions - 15.1, 15.2, 15.3, 15.4
•SAP NetWeaver AS ABAP (Web Dynpro ABAP), Version - SAP_UI 750, 752,
753, 754; SAP_BASIS 700, 710, 730, 731, 804
•SAP Business Objects Business Intelligence Platform, Versions - before
4.1, 4.2 and 4.3
•SAP Identity Management, Version - 8.0
Overview
Multiple vulnerabilities have been reported in SAP products, which could be
exploited by a remote attacker to execute arbitrary code, inject malicious
code, obtain sensitive information, cause denial of service conditions,
perform cross-site scripting attacks, leading to path traversal or perform
other unauthorized activities on a targeted system.
Description
These vulnerabilities exist in SAP products due to incorrect hardening of
the XML Parser,insufficient encoding of user-controlled inputs,unsafe
deserialization error,insufficient validation of path information provided
by users, use-after-free errors, improper parsing of RPT files, improper
input validations and other flaws in the affected software.
A remote attacker could exploit these vulnerabilities by injecting
malicious code, performing unauthorized queries, sending a specially
crafted XML file & GIOP packets, which could allow the attacker to
overwrite, delete, or corrupt files on a targeted system.
Successful exploitation of these vulnerabilities could allow the attacker
to inject malicious code, execute arbitrary code, obtain sensitive
information, cause denial of service conditions, perform cross-site
scripting attacks or perform other unauthorized activities on a targeted
system.
Solution
Apply appropriate patches as mentioned on SAP website:
Vendor Information
SAP
References
SAP
Onapsis
CVE Name
CVE-2020-6253
CVE-2020-6262
CVE-2020-6242
CVE-2020-6248
CVE-2020-6219
CVE-2020-6252
CVE-2020-6241
CVE-2020-6243
CVE-2020-6249
CVE-2020-6244
CVE-2020-6250
CVE-2020-6245
CVE-2020-6247
CVE-2020-6251
CVE-2020-6259
CVE-2020-6254
CVE-2020-6256
CVE-2020-6257
CVE-2020-6240
CVE-2019-0352
CVE-2020-6258