CVE-2023-36922OS Command Injection in SE SAP ECC AND SAP S 4hana

CWE-78OS Command Injection3 documents3 sources
Severity
8.8HIGHNVD
CNA9.1
EPSS
0.2%
top 55.98%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
SAP SE SAP ECC AND SAP S 4hanaSAP Netweaver
Timeline
PublishedJul 11

Description

Due to programming error in function module and report, IS-OIL component in SAP ECC and SAP S/4HANA allows an authenticated attacker to inject an arbitrary operating system command into an unprotected parameter in a common (default) extension. On successful exploitation, the attacker can read or modify the system data as well as shut down the system.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages2 packages

CVEListV5sap_se/sap_ecc_and_sap_s_4hana15 versions+14
NVDsap/netweaver15 versions+14

🔴Vulnerability Details

2
GHSA
GHSA-4qhp-mwrw-89jx: Due to programming error in function module or report, SAP NetWeaver ABAP (IS-OIL) - versions 600, 602, 603, 604, 605, 606, 617, 618, 800, 802, 803, 82023-07-11
CVEList
OS command injection vulnerability in SAP ECC and SAP S/4HANA (IS-OIL)2023-07-11
CVE-2023-36922 — OS Command Injection | cvebase