CVE-2023-36922
OS command injection vulnerability in SAP ECC and SAP S/4HANA (IS-OIL)
Severity Score
8.8
*CVSS v3.1
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
0
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
-
*SSVC
Descriptions
Due to programming error in function module and report, IS-OIL component in SAP ECC and SAP S/4HANA allows an authenticated attacker to inject an arbitrary operating system command into an unprotected parameter in a common (default) extension. On successful exploitation, the attacker can read or modify the system data as well as shut down the system.
*Credits:
N/A
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:-
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2023-06-27 CVE Reserved
- 2023-07-11 CVE Published
- 2024-08-02 CVE Updated
- 2025-01-31 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CAPEC
References (1)
URL | Tag | Source |
---|
URL | Date | SRC |
---|
URL | Date | SRC |
---|
URL | Date | SRC |
---|---|---|
https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html | 2023-12-09 |
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Sap Search vendor "Sap" | Netweaver Search vendor "Sap" for product "Netweaver" | 600 Search vendor "Sap" for product "Netweaver" and version "600" | - |
Affected
| ||||||
Sap Search vendor "Sap" | Netweaver Search vendor "Sap" for product "Netweaver" | 602 Search vendor "Sap" for product "Netweaver" and version "602" | - |
Affected
| ||||||
Sap Search vendor "Sap" | Netweaver Search vendor "Sap" for product "Netweaver" | 603 Search vendor "Sap" for product "Netweaver" and version "603" | - |
Affected
| ||||||
Sap Search vendor "Sap" | Netweaver Search vendor "Sap" for product "Netweaver" | 604 Search vendor "Sap" for product "Netweaver" and version "604" | - |
Affected
| ||||||
Sap Search vendor "Sap" | Netweaver Search vendor "Sap" for product "Netweaver" | 605 Search vendor "Sap" for product "Netweaver" and version "605" | - |
Affected
| ||||||
Sap Search vendor "Sap" | Netweaver Search vendor "Sap" for product "Netweaver" | 606 Search vendor "Sap" for product "Netweaver" and version "606" | - |
Affected
| ||||||
Sap Search vendor "Sap" | Netweaver Search vendor "Sap" for product "Netweaver" | 617 Search vendor "Sap" for product "Netweaver" and version "617" | - |
Affected
| ||||||
Sap Search vendor "Sap" | Netweaver Search vendor "Sap" for product "Netweaver" | 618 Search vendor "Sap" for product "Netweaver" and version "618" | - |
Affected
| ||||||
Sap Search vendor "Sap" | Netweaver Search vendor "Sap" for product "Netweaver" | 800 Search vendor "Sap" for product "Netweaver" and version "800" | - |
Affected
| ||||||
Sap Search vendor "Sap" | Netweaver Search vendor "Sap" for product "Netweaver" | 802 Search vendor "Sap" for product "Netweaver" and version "802" | - |
Affected
| ||||||
Sap Search vendor "Sap" | Netweaver Search vendor "Sap" for product "Netweaver" | 803 Search vendor "Sap" for product "Netweaver" and version "803" | - |
Affected
| ||||||
Sap Search vendor "Sap" | Netweaver Search vendor "Sap" for product "Netweaver" | 804 Search vendor "Sap" for product "Netweaver" and version "804" | - |
Affected
| ||||||
Sap Search vendor "Sap" | Netweaver Search vendor "Sap" for product "Netweaver" | 805 Search vendor "Sap" for product "Netweaver" and version "805" | - |
Affected
| ||||||
Sap Search vendor "Sap" | Netweaver Search vendor "Sap" for product "Netweaver" | 806 Search vendor "Sap" for product "Netweaver" and version "806" | - |
Affected
| ||||||
Sap Search vendor "Sap" | Netweaver Search vendor "Sap" for product "Netweaver" | 807 Search vendor "Sap" for product "Netweaver" and version "807" | - |
Affected
|