Login Sign Up

CVE-2020-26815

8.6 HIGH
SSRF

📋 TL;DR

CVE-2020-26815 is a Server-Side Request Forgery (SSRF) vulnerability in SAP Fiori Launchpad's News tile Application, allowing unauthorized attackers to send crafted requests to access internal network resources normally restricted behind firewalls. This affects SAP Fiori Launchpad versions 750 through 755, potentially exposing sensitive or confidential data from internal systems.

💻 Affected Systems

Products:
  • SAP Fiori Launchpad (News tile Application)
Versions: 750, 751, 752, 753, 754, 755
Operating Systems: Not specified; typically runs on SAP-supported platforms like Linux or Windows
Default Config Vulnerable: ⚠️ Yes
Notes: This vulnerability is specific to the News tile component within SAP Fiori Launchpad and may require the application to be configured and accessible.

📦 What is this software?

Fiori Launchpad \(news Tile Application\) by Sap

View all CVEs affecting Fiori Launchpad \(news Tile Application\) →

Fiori Launchpad \(news Tile Application\) by Sap

View all CVEs affecting Fiori Launchpad \(news Tile Application\) →

Fiori Launchpad \(news Tile Application\) by Sap

View all CVEs affecting Fiori Launchpad \(news Tile Application\) →

Fiori Launchpad \(news Tile Application\) by Sap

View all CVEs affecting Fiori Launchpad \(news Tile Application\) →

Fiori Launchpad \(news Tile Application\) by Sap

View all CVEs affecting Fiori Launchpad \(news Tile Application\) →

Fiori Launchpad \(news Tile Application\) by Sap

View all CVEs affecting Fiori Launchpad \(news Tile Application\) →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker could access and exfiltrate sensitive internal resources, such as databases, cloud metadata, or administrative interfaces, leading to data breaches, lateral movement, or further exploitation of internal systems.

🟠

Likely Case

Attackers may scan and retrieve information from internal web services or APIs, potentially gaining unauthorized access to confidential data or leveraging internal systems for additional attacks.

🟢

If Mitigated

With proper network segmentation, firewalls, and access controls, the impact is limited to accessing only non-sensitive or isolated resources, reducing the risk of data exposure.

🌐 Internet-Facing: HIGH, as the vulnerability allows unauthorized external attackers to bypass firewalls and target internal systems if the SAP Fiori Launchpad is exposed to the internet.
🏢 Internal Only: MEDIUM, as internal attackers could exploit this to escalate privileges or access restricted internal resources, but it requires some level of network access.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation involves sending crafted HTTP requests, which is relatively straightforward, and the vulnerability allows unauthenticated access, increasing the likelihood of weaponization.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Apply SAP Security Note 2984627; specific patched versions depend on the SAP release and component updates.

Vendor Advisory: https://launchpad.support.sap.com/#/notes/2984627

Restart Required: Yes

Instructions:

1. Access SAP Support Portal. 2. Download and apply SAP Security Note 2984627. 3. Follow SAP's patching procedures for your specific SAP Fiori Launchpad installation. 4. Restart the affected SAP services as required.

🔧 Temporary Workarounds

Network Segmentation and Firewall Rules

all

Restrict outbound HTTP/HTTPS requests from the SAP Fiori Launchpad server to only necessary internal resources, blocking access to sensitive systems.

Disable or Remove News Tile

all

Temporarily disable or remove the vulnerable News tile application from SAP Fiori Launchpad if not essential, to mitigate the SSRF risk.

🧯 If You Can't Patch

  • Implement strict network access controls to limit the SAP server's ability to connect to internal resources, using firewalls or proxy servers.
  • Monitor and log all outgoing requests from the SAP Fiori Launchpad for suspicious activity, such as attempts to access internal IP ranges or sensitive endpoints.

🔍 How to Verify

Check if Vulnerable:

Check if SAP Fiori Launchpad versions 750-755 are installed and if the News tile application is active; review system logs for SSRF attempts or use vulnerability scanners configured for SAP environments.

Check Version:

Use SAP transaction code SM51 or check the SAP system info via SAP GUI or command-line tools specific to your SAP installation.

Verify Fix Applied:

Verify that SAP Security Note 2984627 has been applied by checking the SAP system's patch status or version details, and test that crafted requests to the News tile no longer result in unauthorized internal access.

📡 Detection & Monitoring

Log Indicators:

  • Unusual HTTP requests from the SAP Fiori Launchpad server to internal IP addresses or domains, especially with crafted URLs or parameters indicative of SSRF attempts.

Network Indicators:

  • Outbound traffic from the SAP server to unexpected internal services, such as metadata endpoints (e.g., 169.254.169.254) or restricted administrative interfaces.

SIEM Query:

Example: source_ip='SAP_Server_IP' AND (url CONTAINS 'internal' OR dest_ip IN ['10.0.0.0/8', '192.168.0.0/16', '172.16.0.0/12']) AND http_method='GET' OR 'POST'

📊 Metadata

CVE ID: CVE-2020-26815
CVSS v3 Score: 8.6 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
CWE: CWE-918
Published: November 10, 2020
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-26815, you might also want to check these:

CVE-2023-3432 10.0

This CVE describes a Server-Side Request Forgery (SSRF) vulnerability in PlantUML versions prior to ...

Same vulnerability type (CWE-918)
CVE-2025-2828 10.0

This Server-Side Request Forgery (SSRF) vulnerability in langchain-community's RequestsToolkit allow...

Same vulnerability type (CWE-918)
CVE-2023-43654 10.0

TorchServe versions 0.1.0 to 0.8.1 have a critical vulnerability where the default configuration lac...

Same vulnerability type (CWE-918)