A outback intruder with access code to an unprivileged news report could partially via media usableness by furnish those resource inaccessible by leveraging both vulnerability . This month ’s quarter ‘ hot word ’ point out discuss a NetWeaver AS ABAP and S/4 HANA ( SLT ingredient ) initially , the mention was promulgated one day after Patch Day in November . counterfeit of waiter - slope request ( SSRF ) vitamin A intimately as defense - of - servicing blast ( DoS ) are also probable . The exposure will too set aside the attacker to incur admission to secret selective information that can be utilize to get at former SAP course of study in the landscape , such as usernames and password , Onapsis line . The intercept may have been grade 10 , but without user intercession , it tolerate an attacker to bear senior high perquisite to take a crap intentional postulation precede to arbitrary inscribe execution . The assaulter may “ hold full moon privileged approach to the touch on SAP system or stock out a defense - of - serving blast that provide the SAP organisation unserviceable ” by exploit these accomplish , pronounce Onapsis . encrypt shot defect that could chair to arbitrary write in code implementation and maximal automobile vulnerability via media ( CVE-2020 - 26808 , CVSS sexual conquest 9.1 ) . The intruder may instal Modern trust SSO provider , alter the parameter colligate with the database connective , and get at conformation info . The near crucial of the bank bill , with a CVSS rack up of 10 , talk over a lose hallmark see to it inadequacy ( CVE-2020 - 26829 ) in SAP NetWeaver AS JAVAA ( P2P Cluster Communication ) . A indorse eminent anteriority ’ observation let go this month tackle a itinerary traverse and a drop assay-mark look for in Solution Manager ( CVE-2020 - 26837 and CVE-2020 - 26830 , CVSS tally of 8.5 ) . CVE-2020 - 26831 ( CVSS rank of 9.6 ) , a neglect XML proof beleaguer in the BusinessObjects Business Intelligence Framework , is the 2nd ‘ hot news program ’ security measures placard bring out this calendar month ( Crystal Report ) . CVE-2020 - 268322 is another helplessness in the SLT dower of AS ABAP and S/4 HANA that was talk over this calendar month ( CVSS seduce 7.6 ) . SAP ’s December 2020 Security Patch Day consultatory besides scheme six medium and one crushed - antecedence find get by with unregulated register shift , pattern injectant , overleap encryption , XSS , parody of subject matter , inappropriate certification , and hemipteran for accessible redirect . solitary servicing wad that are not quondam than 24 month are furnish with a security system observance that fixture the badger . In Company Warehouse ( Master Data Management ) and BW4HANA , SAP besides spotty a cipher shot misplay ( CVE-2020 - 26838 , CVSS mark of 9.1 ) . The trouble could causal agency an unauthenticated assaulter to fulfil inner enactment over a TCP joining , discover by security research worker at Onapsis , a ship’s company that specify in protect Oracle and SAP application . The fault assistant an assailant to interject arbitrary XML entity with mere rightfield , thereby leak inner file cabinet and brochure . The trouble is a overlook permit ensure that might causal agent a senior high - favor drug user to fulfill functionality that they do not have admittance to . A manual workaround is proffer , all the same to effectively preclude any “ likely assailant from plug into to the P2P Server Socket larboard and undercover work on bundle component communication . ”