CVE-2020-6363 : Security Advisory and Response

SAP Commerce Cloud versions 1808, 1811, 1905, and 2005 are affected by an Insufficient Session Expiration vulnerability, potentially allowing attackers to reuse old session credentials.

Understanding CVE-2020-6363

SAP Commerce Cloud exposes web applications that maintain user sessions, leading to the Insufficient Session Expiration issue.

What is CVE-2020-6363?

This CVE pertains to SAP Commerce Cloud versions 1808, 1811, 1905, and 2005, where user sessions are not properly invalidated after changing passphrases, enabling attackers to reuse old session credentials.

The Impact of CVE-2020-6363

The vulnerability allows attackers to exploit active user sessions, posing a risk of unauthorized access and potential data breaches.

Technical Details of CVE-2020-6363

SAP Commerce Cloud's vulnerability lies in the management of user sessions and authentication processes.

Vulnerability Description

The issue arises from the failure to invalidate active user sessions after changing passphrases, enabling attackers to reuse old session credentials.

Affected Systems and Versions

Product: SAP Commerce Cloud
Vendor: SAP SE
Affected Versions: < 1808, < 1811, < 1905, < 2005

Exploitation Mechanism

Attackers can exploit the vulnerability by reusing old session credentials to gain unauthorized access to SAP Commerce Cloud web applications.

Mitigation and Prevention

Immediate action and long-term security practices are crucial to mitigate the risks associated with CVE-2020-6363.

Immediate Steps to Take

Monitor and log user sessions for unusual activity.
Implement multi-factor authentication to enhance security.
Regularly review and update session management policies.

Long-Term Security Practices

Conduct regular security assessments and penetration testing.
Educate users on secure password practices and session management.

Patching and Updates

Apply security patches provided by SAP to address the vulnerability in affected versions.