CVE-2023-36922

Summary

Due to programming error in function module and report, IS-OIL component in SAP ECC and SAP S/4HANA allows an authenticated attacker to inject an arbitrary operating system command into an unprotected parameter in a common (default) extension.  On successful exploitation, the attacker can read or modify the system data as well as shut down the system.

Affected Software

VendorProductVersion RangeStatus
SAP_SESAP ECC and SAP S/4HANA (IS-OIL)IS-OIL 600affected
SAP_SESAP ECC and SAP S/4HANA (IS-OIL)IS-OIL 602affected
SAP_SESAP ECC and SAP S/4HANA (IS-OIL)IS-OIL 603affected
SAP_SESAP ECC and SAP S/4HANA (IS-OIL)IS-OIL 604affected
SAP_SESAP ECC and SAP S/4HANA (IS-OIL)IS-OIL 605affected
SAP_SESAP ECC and SAP S/4HANA (IS-OIL)IS-OIL 606affected
SAP_SESAP ECC and SAP S/4HANA (IS-OIL)IS-OIL 617affected
SAP_SESAP ECC and SAP S/4HANA (IS-OIL)IS-OIL 618affected
SAP_SESAP ECC and SAP S/4HANA (IS-OIL)IS-OIL 800affected
SAP_SESAP ECC and SAP S/4HANA (IS-OIL)IS-OIL 802affected
SAP_SESAP ECC and SAP S/4HANA (IS-OIL)IS-OIL 803affected
SAP_SESAP ECC and SAP S/4HANA (IS-OIL)IS-OIL 804affected
SAP_SESAP ECC and SAP S/4HANA (IS-OIL)IS-OIL 805affected
SAP_SESAP ECC and SAP S/4HANA (IS-OIL)IS-OIL 806affected
SAP_SESAP ECC and SAP S/4HANA (IS-OIL)IS-OIL 807affected

Weaknesses

  • CWE-78: CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

ADP Enrichment

CVE Program Container

Additional References

References