Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2023-36922

Due to programming error in function module and report, IS-OIL component in SAP ECC and SAP S/4HANA allows an authenticated attacker to inject an arbitrary operating system command into an unprotected parameter in a common (default) extension. On successful exploitation, the attacker can read or modify the system data as well as shut down the system.

Published

2023-07-11T03:15:10.357

Last Modified

2024-11-21T08:10:55.903

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 9.1 (CRITICAL)

Weaknesses

Type: Secondary
CWE-78
Type: Primary
CWE-78

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	sap	netweaver	600	Yes
Application	sap	netweaver	602	Yes
Application	sap	netweaver	603	Yes
Application	sap	netweaver	604	Yes
Application	sap	netweaver	605	Yes
Application	sap	netweaver	606	Yes
Application	sap	netweaver	617	Yes
Application	sap	netweaver	618	Yes
Application	sap	netweaver	800	Yes
Application	sap	netweaver	802	Yes
Application	sap	netweaver	803	Yes
Application	sap	netweaver	804	Yes
Application	sap	netweaver	805	Yes
Application	sap	netweaver	806	Yes
Application	sap	netweaver	807	Yes

References

https://me.sap.com/notes/3350297 Permissions Required ([email protected])
https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html Vendor Advisory ([email protected])
https://me.sap.com/notes/3350297 Permissions Required (af854a3a-2127-422b-91ae-364da2661108)
https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)