The blemish facilitate an aggressor to throw in arbitrary XML entity with simple-minded right field , thereby leak national file away and folder . The problem could causal agent an unauthenticated assailant to perform privileged do over a TCP connecter , come across by security investigator at Onapsis , a companion that narrow down in protecting Oracle and SAP diligence . This month ’s fourthly ‘ hot newsworthiness ’ observance talk about a NetWeaver AS ABAP and S/4 HANA ( SLT component part ) write in code injection blemish that could take to arbitrary code carrying into action and maximal auto vulnerability compromise ( CVE-2020 - 26808 , CVSS tally 9.1 ) . The glitch may have been tally 10 , but without substance abuser intercession , it grant an attacker to consume mellow favour to build intentional postulation take to arbitrary inscribe writ of execution . The intruder may set up unexampled rely SSO supplier , spay the parameter relate with the database connector , and access conformation data . SAP ’s December 2020 Security Patch Day consultatory besides abstract six sensitive and one scurvy - antecedence find care with unregulated register channel , formula shot , lack encoding , XSS , spoof of capacity , out or keeping hallmark , and microbe for approachable redirect . CVE-2020 - 268322 is another weakness in the SLT helping of AS ABAP and S/4 HANA that was hash out this month ( CVSS seduce 7.6 ) . CVE-2020 - 26831 ( CVSS outrank of 9.6 ) , a overlook XML establishment hemipteran in the BusinessObjects Business Intelligence Framework , is the indorse ‘ spicy news show ’ surety note published this month ( Crystal Report ) . counterfeit of host - English call for ( SSRF ) as substantially as self-denial - of - help blast ( DoS ) are as well likely . The assailant may “ hold full-of-the-moon inside memory access to the moved SAP system of rules or conduct out a self-renunciation - of - serving plan of attack that furnish the SAP system unserviceable ” by work these carry out , sound out Onapsis . A remote control interloper with access to an unprivileged account statement could partly compromise serviceableness by interpret those resourcefulness inaccessible by leveraging both exposure . The problem is a pretermit license turn back that might effort a high - favour user to run functionality that they do not have admittance to . In Company Warehouse ( Master Data Management ) and BW4HANA , SAP likewise patched a encipher injection error ( CVE-2020 - 26838 , CVSS hit of 9.1 ) . A manual of arms workaround is provide , yet to effectively foreclose any “ potentiality assaulter from unite to the P2P Server Socket port wine and spy on bunch up constituent communication . ” The to the highest degree authoritative of the banker’s bill , with a CVSS seduce of 10 , discourse a omit hallmark hold deficiency ( CVE-2020 - 26829 ) in SAP NetWeaver AS JAVAA ( P2P Cluster Communication ) . initially , the banker’s bill was publish one twenty-four hours after Patch Day in November . A endorse high school anteriority ’ discover unfreeze this calendar month rigging a route traversal and a neglect certification research in Solution Manager ( CVE-2020 - 26837 and CVE-2020 - 26830 , CVSS score of 8.5 ) . solitary avail parcel that are not elder than 24 calendar month are render with a protection remark that locating the hemipterous insect . The exposure will too permit the assaulter to receive approach to secret data that can be use to accession other SAP programme in the landscape painting , such as usernames and watchword , Onapsis identify .