CVE-2020-6225 CRITICAL

CVE-2020-6225

Vendor Sap Se
Product SAP NetWeaver (Knowledge Management) (KMC-CM)
Published April 14, 2020
Last update August 4, 2024

CVSS base score

9.1/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality High
Integrity Low

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L

What the vulnerability does

01Description

SAP NetWeaver (Knowledge Management), versions (KMC-CM - 7.00, 7.01, 7.02, 7.30, 7.31, 7.40, 7.50 and KMC-WPC 7.30, 7.31, 7.40, 7.50), does not sufficiently validate path information provided by users, thus characters representing traverse to parent directory are passed through to the file APIs, allowing the attacker to overwrite, delete, or corrupt arbitrary files on the remote server, leading to Path Traversal.

Key dates

02Disclosure timeline

April 14, 2020 CVE published
August 4, 2024 Record updated