Due to programming error in function module or report, SAP NetWeaver ABAP (IS-OIL) - versions 600, 602, 603, 604, 605, 606, 617, 618, 800, 802, 803, 804, 805, 806, 807, allows an authenticated attacker to inject an arbitrary operating system command into an unprotected parameter in a common (default) extension. On successful exploitation, the attacker can read or modify the system data as well as shut down the system.
References
Link | Resource |
---|---|
https://me.sap.com/notes/3350297 | Permissions Required |
https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html | Vendor Advisory |
Configurations
Configuration 1 (hide)
|
History
18 Jul 2023, 18:28
Type | Values Removed | Values Added |
---|---|---|
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 8.8 |
First Time |
Sap netweaver
Sap |
|
References | (MISC) https://me.sap.com/notes/3350297 - Permissions Required | |
References | (MISC) https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html - Vendor Advisory | |
CPE | cpe:2.3:a:sap:netweaver:800:*:*:*:*:*:*:* cpe:2.3:a:sap:netweaver:802:*:*:*:*:*:*:* cpe:2.3:a:sap:netweaver:617:*:*:*:*:*:*:* cpe:2.3:a:sap:netweaver:804:*:*:*:*:*:*:* cpe:2.3:a:sap:netweaver:805:*:*:*:*:*:*:* cpe:2.3:a:sap:netweaver:803:*:*:*:*:*:*:* cpe:2.3:a:sap:netweaver:603:*:*:*:*:*:*:* cpe:2.3:a:sap:netweaver:807:*:*:*:*:*:*:* cpe:2.3:a:sap:netweaver:806:*:*:*:*:*:*:* cpe:2.3:a:sap:netweaver:606:*:*:*:*:*:*:* cpe:2.3:a:sap:netweaver:604:*:*:*:*:*:*:* cpe:2.3:a:sap:netweaver:602:*:*:*:*:*:*:* cpe:2.3:a:sap:netweaver:618:*:*:*:*:*:*:* cpe:2.3:a:sap:netweaver:600:*:*:*:*:*:*:* cpe:2.3:a:sap:netweaver:605:*:*:*:*:*:*:* |
11 Jul 2023, 03:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2023-07-11 03:15
Updated : 2024-02-28 20:13
NVD link : CVE-2023-36922
Mitre link : CVE-2023-36922
CVE.ORG link : CVE-2023-36922
JSON object : View
Products Affected
sap
- netweaver
CWE
CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')