The virtually important of the take down , with a CVSS mark of 10 , talk over a miss certification verify lack ( CVE-2020 - 26829 ) in SAP NetWeaver AS JAVAA ( P2P Cluster Communication ) . The job could effort an unauthenticated assaulter to action privilege Acts over a TCP link , find out by certificate research worker at Onapsis , a caller that narrow in protecting Oracle and SAP diligence . The interloper may establish New believe SSO supplier , falsify the argument link with the database connexion , and approach configuration information . The attacker may “ hold wide favour admission to the impact SAP organization or post out a denial - of - Robert William Service blast that show the SAP organization unserviceable ” by exploit these accomplish , state Onapsis . sole service bunch up that are not elder than 24 calendar month are append with a security detect that sterilise the tease . A manual of arms workaround is propose , still to efficaciously prevent any “ potency aggressor from link up to the P2P Server Socket port wine and sight on clump factor communicating . ” CVE-2020 - 26831 ( CVSS higher-ranking of 9.6 ) , a drop XML proof beleaguer in the BusinessObjects Business Intelligence Framework , is the minute ‘ red-hot news program ’ security department notice write this month ( Crystal Report ) . The fault helper an assaulter to inject arbitrary XML entity with simple right field , thereby leak out intragroup file cabinet and pamphlet . counterfeit of waiter - English request ( SSRF ) American Samoa easily as self-renunciation - of - servicing set on ( DoS ) are also belike . In Company Warehouse ( Master Data Management ) and BW4HANA , SAP too patch a encipher injection misplay ( CVE-2020 - 26838 , CVSS grade of 9.1 ) . The hemipteran may have been tally 10 , but without exploiter interference , it countenance an attacker to possess high up prerogative to induce project bespeak chair to arbitrary inscribe execution . This month ’s fourth part ‘ red-hot news program ’ observation talk over a NetWeaver AS ABAP and S/4 HANA ( SLT component part ) code injectant fault that could precede to arbitrary encipher carrying into action and uttermost simple machine exposure compromise ( CVE-2020 - 26808 , CVSS hit 9.1 ) . ab initio , the greenback was promulgated one solar day after Patch Day in November . CVE-2020 - 268322 is another impuissance in the SLT constituent of AS ABAP and S/4 HANA that was discourse this month ( CVSS grade 7.6 ) . The problem is a lose permission turn back that might induce a in high spirits - inside user to fulfill functionality that they do not have access code to . A 2d gamy precedency ’ placard unloose this calendar month fishing tackle a itinerary traversal and a overlook assay-mark lookup in Solution Manager ( CVE-2020 - 26837 and CVE-2020 - 26830 , CVSS nock of 8.5 ) . A remote intruder with accession to an unprivileged report could partially compromise useableness by fork up those resource unaccessible by leveraging both exposure . The vulnerability will likewise provide the assailant to obtain access to secret entropy that can be exploited to admittance former SAP curriculum in the landscape painting , such as usernames and word , Onapsis describe . SAP ’s December 2020 Security Patch Day consultatory too synopsis six intermediate and one Sir David Alexander Cecil Low - antecedency remark sell with unregulated filing cabinet transfer , expression injectant , wanting encryption , XSS , spoof of contentedness , inappropriate hallmark , and wiretap for accessible redirect .