← Back

CVE-2023-36922

nvd nist
Published: Jul 11, 2023Modified: Nov 21, 2024

JSON object

Loading...
8.8
Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Exploitability: 2.8 / Impact: 5.9
Source: NVD

Description

Due to programming error in function module and report, IS-OIL component in SAP ECC and SAP S/4HANA allows an authenticated attacker to inject an arbitrary operating system command into an unprotected parameter in a common (default) extension.  On successful exploitation, the attacker can read or modify the system data as well as shut down the system.

Affected (15)

Products: Sap: Netweaver
Sap
1 product
Netweaver
Configuration A
15 vulnerable
Vulnerable SoftwareAffected Versions
Sap
Netweaver
Version 600
Netweaver
Version 602
Netweaver
Version 603
Netweaver
Version 604
Netweaver
Version 605
Netweaver
Version 606
Netweaver
Version 617
Netweaver
Version 618
Netweaver
Version 800
Netweaver
Version 802
Netweaver
Version 803
Netweaver
Version 804
Netweaver
Version 805
Netweaver
Version 806
Netweaver
Version 807

Related CWEs

CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

References (4)

Source: cna@sap.com
Permissions Required
Source: cna@sap.com
Vendor Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Permissions Required
Source: af854a3a-2127-422b-91ae-364da2661108
Vendor Advisory

Timeline

No history available yet.