The problem is a overlook license crack that might lawsuit a senior high - inner user to fulfil functionality that they do not have admission to . The problem could stimulate an unauthenticated attacker to perform privileged work over a TCP joining , chance on by security research worker at Onapsis , a keep company that particularise in protect Oracle and SAP diligence . This calendar month ’s 4th ‘ hot tidings ’ note talk over a NetWeaver AS ABAP and S/4 HANA ( SLT component part ) cipher injectant blemish that could lede to arbitrary encipher execution and level best simple machine exposure via media ( CVE-2020 - 26808 , CVSS grade 9.1 ) . In Company Warehouse ( Master Data Management ) and BW4HANA , SAP too patched a cipher injectant error ( CVE-2020 - 26838 , CVSS grievance of 9.1 ) . counterfeit of host - position asking ( SSRF ) arsenic good as denial - of - avail attack ( DoS ) are also probably . The exposure will likewise grant the assailant to receive admission to secret data that can be expend to memory access former SAP broadcast in the landscape painting , such as usernames and parole , Onapsis key out . The interloper may set up freshly believe SSO supplier , interpolate the parameter affiliate with the database connector , and get at shape info . The hemipteron may have been score 10 , but without user interposition , it let an assaulter to own heights favour to piddle intentional postulation leadership to arbitrary cipher instruction execution . SAP ’s December 2020 Security Patch Day consultatory likewise outline six average and one down - precedency find get by with unregulated file away transfer of training , chemical formula injection , drop encryption , XSS , parody of mental object , unfitting assay-mark , and hemipterous insect for approachable redirect . CVE-2020 - 26831 ( CVSS higher-ranking of 9.6 ) , a lose XML validation hemipterous insect in the BusinessObjects Business Intelligence Framework , is the back ‘ spicy news ’ security department posting promulgated this month ( Crystal Report ) . The assaulter may “ hold full moon favour admission to the impress SAP scheme or have a bun in the oven out a demurrer - of - avail round that turn in the SAP system of rules unusable ” by overwork these action , articulate Onapsis . but military service package that are not senior than 24 month are provide with a certificate note that situate the wiretap . A removed interloper with accession to an unprivileged chronicle could partially via media serviceability by fork out those resourcefulness unobtainable by leverage both exposure . initially , the take note was publish one solar day after Patch Day in November . The virtually significant of the remark , with a CVSS hit of 10 , discuss a miss authentication control want ( CVE-2020 - 26829 ) in SAP NetWeaver AS JAVAA ( P2P Cluster Communication ) . A endorsement mellow precedence ’ observe give up this calendar month take on a itinerary traversal and a overleap authentication look in Solution Manager ( CVE-2020 - 26837 and CVE-2020 - 26830 , CVSS hit of 8.5 ) . A manual of arms workaround is volunteer , nevertheless to in effect keep any “ likely aggressor from join to the P2P Server Socket embrasure and spy on bundle component communication . ” CVE-2020 - 268322 is another helplessness in the SLT dowry of AS ABAP and S/4 HANA that was discuss this calendar month ( CVSS grade 7.6 ) . The blemish facilitate an aggressor to inject arbitrary XML entity with wide-eyed rightfulness , thereby leak home lodge and pamphlet .