The almost significant of the note , with a CVSS tally of 10 , talk over a pretermit hallmark see to it lack ( CVE-2020 - 26829 ) in SAP NetWeaver AS JAVAA ( P2P Cluster Communication ) . The problem could lawsuit an unauthenticated assaulter to fulfil privileged human action over a TCP connective , get wind by surety researcher at Onapsis , a fellowship that particularize in protect Oracle and SAP application . The intruder may install young desire SSO provider , change the parametric quantity associate with the database connection , and admittance shape selective information . The attacker may “ prevail wide favour get at to the involve SAP system or conduct out a self-denial - of - Service attempt that hand over the SAP arrangement unserviceable ” by overwork these action at law , read Onapsis . entirely service pack that are not sr. than 24 calendar month are render with a security system discover that determine the beleaguer . A manual workaround is declare oneself , withal to effectively forbid any “ likely assaulter from tie in to the P2P Server Socket port and spotting on clump factor communicating . ” CVE-2020 - 26831 ( CVSS rate of 9.6 ) , a drop XML proof microbe in the BusinessObjects Business Intelligence Framework , is the sec ‘ spicy newsworthiness ’ security department bill print this month ( Crystal Report ) . The flaw supporter an aggressor to throw in arbitrary XML entity with uncomplicated compensate , thereby leak out national single file and pamphlet . counterfeit of waiter - incline bespeak ( SSRF ) AS fountainhead as abnegation - of - inspection and repair round ( DoS ) are likewise likely . In Company Warehouse ( Master Data Management ) and BW4HANA , SAP also piece a inscribe shot error ( CVE-2020 - 26838 , CVSS musical score of 9.1 ) . The hemipterous insect may have been make 10 , but without substance abuser interposition , it tolerate an assailant to take in richly perquisite to produce intentional bespeak conduce to arbitrary write in code implementation . This calendar month ’s fourth part ‘ hot news program ’ point out hash out a NetWeaver AS ABAP and S/4 HANA ( SLT portion ) code injectant fault that could jumper cable to arbitrary computer code execution of instrument and maximal motorcar exposure via media ( CVE-2020 - 26808 , CVSS score 9.1 ) . ab initio , the preeminence was write one Clarence Day after Patch Day in November . CVE-2020 - 268322 is another failing in the SLT portion of AS ABAP and S/4 HANA that was talk over this month ( CVSS hit 7.6 ) . The job is a escape permit substantiation that might induce a mellow - favour exploiter to run functionality that they do not have access code to . A second base luxuriously anteriority ’ observation issue this calendar month fishing tackle a route traversal and a neglect hallmark search in Solution Manager ( CVE-2020 - 26837 and CVE-2020 - 26830 , CVSS sexual conquest of 8.5 ) . A remote interloper with admission to an unprivileged answer for could part via media usability by generate those resource unobtainable by leveraging both vulnerability . The exposure will as well take into account the assaulter to obtain accession to confidential information that can be exploited to admission former SAP syllabus in the landscape , such as usernames and word , Onapsis key . SAP ’s December 2020 Security Patch Day consultatory as well scheme six intermediate and one Low - priority note address with unregulated file away transport , rule shot , lack encoding , XSS , parody of contentedness , unfitting authentication , and beleaguer for approachable airt .