CVE-2020-6224: 
SAP NetWeaver Application Server Java vulnerability analysis and mitigation

SAP NetWeaver AS Java (HTTP Service), versions 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, and 7.50, contains an information disclosure vulnerability identified as CVE-2020-6224. The vulnerability was disclosed on April 14, 2020, and allows an attacker with administrator privileges to access sensitive user data, including passwords in trace files, when users log in and send requests with login credentials (NVD).

The vulnerability has been assigned a CVSS v3.1 Base Score of 6.2 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:N/A:N. The vulnerability requires network access, high privileges, and user interaction to be exploited. The weakness is categorized as CWE-532: Insertion of Sensitive Information into Log File (NVD).

When successfully exploited, the vulnerability allows attackers with administrator privileges to access sensitive user data, particularly passwords stored in trace files. This could lead to unauthorized access to user accounts and potential compromise of system security (NVD).

SAP has released security patches to address this vulnerability. Organizations using affected versions of SAP NetWeaver AS Java (HTTP Service) should upgrade to a patched version as recommended in SAP's security advisory (SAP Advisory).