CVE-2020-26816
First published: Wed Dec 09 2020(Updated: )
SAP AS JAVA (Key Storage Service), versions - 7.10, 7.11, 7.20 ,7.30, 7.31, 7.40, 7.50, has the key material which is stored in the SAP NetWeaver AS Java Key Storage service stored in the database in the DER encoded format and is not encrypted. This enables an attacker who has administrator access to the SAP NetWeaver AS Java to decode the keys because of missing encryption and get some application data and client credentials of adjacent systems. This highly impacts Confidentiality as information disclosed could contain client credentials of adjacent systems.
Credit: cna@sap.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| SAP NetWeaver Application Server Java | =7.10 | |
| SAP NetWeaver Application Server Java | =7.11 | |
| SAP NetWeaver Application Server Java | =7.20 | |
| SAP NetWeaver Application Server Java | =7.30 | |
| SAP NetWeaver Application Server Java | =7.31 | |
| SAP NetWeaver Application Server Java | =7.40 | |
| SAP NetWeaver Application Server Java | =7.50 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is CVE-2020-26816?
CVE-2020-26816 is a vulnerability in SAP AS JAVA (Key Storage Service) versions 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, and 7.50, where the key material stored in the SAP NetWeaver AS Java Key Storage service is not encrypted.
How severe is the vulnerability CVE-2020-26816?
The severity of CVE-2020-26816 is medium with a CVSS score of 4.5.
How does CVE-2020-26816 affect SAP NetWeaver Application Server Java?
CVE-2020-26816 affects SAP NetWeaver Application Server Java versions 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, and 7.50.
What is the impact of CVE-2020-26816?
The impact of CVE-2020-26816 is that an attacker with administrator access can access the key material stored in the SAP NetWeaver AS Java Key Storage service.
How can I mitigate CVE-2020-26816?
To mitigate CVE-2020-26816, SAP recommends applying the patches and implementing the necessary security configurations as mentioned in the SAP notes and documentation.
- collector/nvd-index
- agent/severity
- agent/weakness
- agent/references
- agent/author
- agent/type
- agent/description
- agent/event
- agent/softwarecombine
- agent/last-modified-date
- agent/first-publish-date
- agent/tags
- collector/mitre-cve
- source/MITRE
- vendor/sap
- canonical/sap netweaver application server java
- version/sap netweaver application server java/7.10
- version/sap netweaver application server java/7.11
- version/sap netweaver application server java/7.20
- version/sap netweaver application server java/7.30
- version/sap netweaver application server java/7.31
- version/sap netweaver application server java/7.40
- version/sap netweaver application server java/7.50