2020

CVE-2020-6287 (v3: 10) 14 Jul 2020
SAP NetWeaver AS JAVA (LM Configuration Wizard), versions - 7.30, 7.31, 7.40, 7.50, does not perform an authentication check which allows an attacker without prior authentication to execute configuration tasks to perform critical actions against the SAP Java system, including the ability to create an administrative user, and therefore compromising Confidentiality, Integrity and Availability of the system, leading to Missing Authentication Check.
CVE-2020-6235 (v3: 8.6) 14 Apr 2020
SAP Solution Manager (Diagnostics Agent), version 7.2, does not perform the authentication check for the functionalities of the Collector Simulator, leading to Missing Authentication.
CVE-2020-6198 (v3: 9.8) 10 Mar 2020
SAP Solution Manager (Diagnostics Agent), version 720, allows unencrypted connections from unauthenticated sources. This allows an attacker to control all remote functions on the Agent due to Missing Authentication Check.

2019

CVE-2019-0261 (v3: 9.8) 15 Feb 2019
Under certain circumstances, SAP HANA Extended Application Services, advanced model (XS advanced) does not perform authentication checks properly for XS advanced platform and business users. Fixed in 1.0.97 to 1.0.99 (running on SAP HANA 1 or SAP HANA 2 SPS0 (second S stands for stack)).
CVE-2019-0246 (v3: 9.8) 8 Jan 2019
SAP Cloud Connector, before version 2.11.3, does not perform any authentication checks for functionalities that require user identity.

2018

CVE-2018-2449 (v3: 8.6) 14 Aug 2018
SAP SRM MDM Catalog versions 3.73, 7.31, 7.32 in (SAP NetWeaver 7.3) - import functionality does not perform authentication checks for valid repository user. This is an unauthenticated functionality that you can use on windows machines to do SMB relaying.

2017

CVE-2017-16684 (v3: 9.8) 12 Dec 2017
SAP Business Intelligence Promotion Management Application, Enterprise 4.10, 4.20, and 4.30, does not perform authentication checks for functionalities that require user identity.
CVE-2017-16689 (v3: 8.8) 12 Dec 2017
A Trusted RFC connection in SAP KERNEL 32NUC, SAP KERNEL 32Unicode, SAP KERNEL 64NUC, SAP KERNEL 64Unicode 7.21, 7.21EXT, 7.22, 7.22EXT; SAP KERNEL from 7.21 to 7.22, 7.45, 7.49, can be established to a different client or a different user on the same system, although no explicit Trusted/Trusting Relation to the same system has been defined.
CVE-2017-15293 (v3: 9.8) 16 Oct 2017
Xpress Server in SAP POS does not require authentication for file read and erase operations, daemon shutdown, terminal read operations, or certain attacks on credentials. This is SAP Security Note 2520064.
CVE-2017-15295 (v3: 9.8) 16 Oct 2017
Xpress Server in SAP POS does not require authentication for read/write/delete file access. This is SAP Security Note 2520064.
CVE-2017-15297 (v3: 7.5) 16 Oct 2017
SAP Hostcontrol does not require authentication for the SOAP SAPControl endpoint. This is SAP Security Note 2442993.

2016

2015

2014

CVE-2014-5175 (v2: 7.5) 31 Jul 2014
The License Measurement servlet in SAP Solution Manager 7.1 allows remote attackers to bypass authentication via unspecified vectors, related to a verb tampering attack and SAP_JTECHS.

2013

CVE-2013-7366 (v2: 5) 10 Apr 2014
The SAP Software Deployment Manager (SDM), in certain unspecified conditions, allows remote attackers to cause a denial of service via vectors related to failed authentications.
CVE-2013-7093 (v2: 5) 13 Dec 2013
SAP Network Interface Router (SAProuter) 39.3 SP4 allows remote attackers to bypass authentication and modify the configuration via unspecified vectors.

2012

2011