Description
SAP NetWeaver AS JAVA (P2P Cluster Communication), versions - 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, allows arbitrary connections from processes because of missing authentication check, that are outside the cluster and even outside the network segment dedicated for the internal cluster communication. As result, an unauthenticated attacker can invoke certain functions that would otherwise be restricted to system administrators only, including access to system administration functions or shutting down the system completely.
References (4)
Core 4
Core References
Vendor Advisory x_refsource_misc
https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=564757079
Permissions Required, Vendor Advisory x_refsource_misc
https://launchpad.support.sap.com/#/notes/2974774
Mailing List, Third Party Advisory mailing-list
x_refsource_fulldisc
http://seclists.org/fulldisclosure/2021/Jun/33
Third Party Advisory x_refsource_misc
http://packetstormsecurity.com/files/163166/SAP-Netweaver-JAVA-7.50-Missing-Authorization.html
Scores
CVSS v3
10.0
EPSS
0.0395
EPSS Percentile
88.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Details
CWE
CWE-306
Status
published
Products (6)
sap/netweaver_application_server_java
7.11
sap/netweaver_application_server_java
7.20
sap/netweaver_application_server_java
7.30
sap/netweaver_application_server_java
7.31
sap/netweaver_application_server_java
7.40
sap/netweaver_application_server_java
7.50
Published
Dec 09, 2020
Tracked Since
Feb 18, 2026