CVE-2015-7725

Published: Oct 15, 2015Modified: May 6, 2026

6.5

Vector

AV:N/AC:L/Au:S/C:P/I:P/A:P

Exploitability: 8.0 / Impact: 6.4

Source: NVD

Description

Multiple SQL injection vulnerabilities in the Web-based Development Workbench in SAP HANA DB 1.00.091.00.1418659308 allow remote authenticated users to execute arbitrary SQL commands via the (1) remoteSourceName in the dropCredentials function or unspecified vectors in the (2) setTraceLevelsForXsApps, (3) _modifyUser, or (4) _newUser function, aka SAP Security Notes 2153898 and 2153765.

Affected (1)

Products: Sap: Hana

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Sap Hana	Version 1.00.091.00

Related CWEs

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

References (26)

http://packetstormsecurity.com/files/133761/SAP-HANA-_modifyUser-SQL-Injection.html

Source: cve@mitre.org

http://packetstormsecurity.com/files/133762/SAP-HANA-_newUser-SQL-Injection.html

Source: cve@mitre.org

http://packetstormsecurity.com/files/133764/SAP-HANA-setTraceLevelsForXsApps-SQL-Injection.html

Source: cve@mitre.org

http://packetstormsecurity.com/files/133769/SAP-HANA-Drop-Credentials-SQL-Injection.html

Source: cve@mitre.org

http://seclists.org/fulldisclosure/2015/Sep/110

Source: cve@mitre.org

http://seclists.org/fulldisclosure/2015/Sep/111

Source: cve@mitre.org

http://seclists.org/fulldisclosure/2015/Sep/113

Source: cve@mitre.org

http://seclists.org/fulldisclosure/2015/Sep/118

Source: cve@mitre.org

https://www.onapsis.com/blog/analyzing-sap-security-notes-may-2015-edition

Source: cve@mitre.org

https://www.onapsis.com/research/security-advisories/sap-hana-drop-credentials-sql-injection

Source: cve@mitre.org

https://www.onapsis.com/research/security-advisories/sap-hana-sql-injection-modifyuser

Source: cve@mitre.org

https://www.onapsis.com/research/security-advisories/sap-hana-sql-injection-newuser

Source: cve@mitre.org

https://www.onapsis.com/research/security-advisories/sap-sql-injection-settracelevelsforxsapps

Source: cve@mitre.org

http://packetstormsecurity.com/files/133761/SAP-HANA-_modifyUser-SQL-Injection.html

Source: af854a3a-2127-422b-91ae-364da2661108

http://packetstormsecurity.com/files/133762/SAP-HANA-_newUser-SQL-Injection.html

Source: af854a3a-2127-422b-91ae-364da2661108

http://packetstormsecurity.com/files/133764/SAP-HANA-setTraceLevelsForXsApps-SQL-Injection.html

Source: af854a3a-2127-422b-91ae-364da2661108

http://packetstormsecurity.com/files/133769/SAP-HANA-Drop-Credentials-SQL-Injection.html

Source: af854a3a-2127-422b-91ae-364da2661108

http://seclists.org/fulldisclosure/2015/Sep/110

Source: af854a3a-2127-422b-91ae-364da2661108

http://seclists.org/fulldisclosure/2015/Sep/111

Source: af854a3a-2127-422b-91ae-364da2661108

http://seclists.org/fulldisclosure/2015/Sep/113

Source: af854a3a-2127-422b-91ae-364da2661108

http://seclists.org/fulldisclosure/2015/Sep/118

Source: af854a3a-2127-422b-91ae-364da2661108

https://www.onapsis.com/blog/analyzing-sap-security-notes-may-2015-edition

Source: af854a3a-2127-422b-91ae-364da2661108

https://www.onapsis.com/research/security-advisories/sap-hana-drop-credentials-sql-injection

Source: af854a3a-2127-422b-91ae-364da2661108

https://www.onapsis.com/research/security-advisories/sap-hana-sql-injection-modifyuser

Source: af854a3a-2127-422b-91ae-364da2661108

https://www.onapsis.com/research/security-advisories/sap-hana-sql-injection-newuser

Source: af854a3a-2127-422b-91ae-364da2661108

https://www.onapsis.com/research/security-advisories/sap-sql-injection-settracelevelsforxsapps

Source: af854a3a-2127-422b-91ae-364da2661108

Timeline

No history available yet.