A note with CVSS 7.2 for component BC-VCM-LVM was released by SAP on 11.02.2020. The correction/advisory 2878030 was described with "[CVE-2020-6191] Missing Input Validation in SAP Landscape Management" and affects the system type SAP Landscape Management.
A workaround does not exist, according to SAP Security Advisory team. It is advisable to implement the correction as part of maintenance.
The vulnerability addressed is command injection within SAP Landscape Management.
Risk specificationAn attacker with admin privileges could run malicious executables with root privileges in SAP Host Agent via SAP Landscape Management
SAP Landscape validation will now properly validates user input.
- 9.9 [CVE-2021-38163] Unrestricted File Upload vulnerability in SAP NetWeaver (Visual Composer 7.0 RT)
- 7.2 [CVE-2020-6192] Missing Input Validation in SAP Landscape Management
- 7.2 [CVE-2020-6236] Privilege Escalation in SAP Landscape Management (SAP Adaptive Extensions)
- 7.2 [CVE-2020-6234] Privilege Escalation in SAP Host Agent
- 6.5 [CVE-2021-38180] CSV Injection in SAP Business One