- On 13. May 2020
SEC Consult Vulnerability Lab discovered a critical code injection vulnerability (CVE-2020-6262) with a CVSSv3 Score of 9.9 in SAP® Service Data Download (a part of the SAP® Solution Manager Plugin ST-PI).
This vulnerability affects all SAP® ABAP servers that use the below mentioned components. It can be exploited over the network and allows an authenticated attacker to inject code into a standard ABAP application to control the behavior of the vulnerable component and thereby the entire SAP® Application Server ABAP.
The impact is of highest criticality as the vulnerability itself enables e.g.:
- Unauthorized execution of arbitrary commands
- Disclosure of sensitive information
- Denial of Service (DoS) attacks
Considering the impact, we advice all customers to implement note 2835979 as soon as possible.
As part of the SEC Consult responsible disclosure process this vulnerability was reported to SAP® by SEC Consult’s researchers (Alexander Meier and Fabian Hagg) immediately after discovery on 20th April 2020. Further detailed information will be published three months after patch release in accordance with SAP’s responsible disclosure guidelines.
We want to express our thanks to the folks at SAP®, especially the SAP® Product Security Response Team. They reacted fast for every inquiry and released a timely patch on the 12th May 2020.
|Title||Code Injection Vulnerability in Service Data Download|
|Type||Code Injection/Remote Code Execution|
|CVSS v3 Vector||AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H|
|CVSS v3 Score||9.9|
|Affected Component||SAP® Solution Tools Plug-In ST-PI|
|Affected Product||SAP® Application Server ABAP, ST-PI versions- 2008_1_46C, 2008_1_620, 2008_1_640, 2008_1_700, 2008_1_710, 740|
|Available Patches||https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=545396222 (Security Note 2835979)|
|Release date patch||2020-05-12|
|Planned release date for detailed advisory||2020-08-12|