Unrated severityNVD Advisory· Published Jul 11, 2023· Updated Aug 2, 2024

OS command injection vulnerability in SAP ECC and SAP S/4HANA (IS-OIL)

CVE-2023-36922

Description

Due to programming error in function module and report, IS-OIL component in SAP ECC and SAP S/4HANA allows an authenticated attacker to inject an arbitrary operating system command into an unprotected parameter in a common (default) extension. On successful exploitation, the attacker can read or modify the system data as well as shut down the system.

Affected products

SAP/SAP ECCllm-create
SAP/S/4HANAllm-fuzzy
SAP_SE/SAP ECC and SAP S/4HANA (IS-OIL)v5
Range: IS-OIL 600

Patches

Vulnerability mechanics

References

me.sap.com/notes/3350297mitre
www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.htmlmitre

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.001
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000