Skip links
Vahagn Vardanian

Vahagn Vardanian

Co-founder and CTO of RedRays

CVE-2020-6249 SQL Injection vulnerability in SAP Master Data Governance(MDG), SAP security note 2908560

Description

The use of an admin backend report from within MDG allows an attacker to execute crafted database queries, exposing the backend database.

Some well-known impacts of SQL Injection vulnerability are –

  • Read sensitive data
  • Execute admin level operations on database

Available fix and Supported packages

  • S4CORE | 101 | 101
  • S4FND | 102 | 102
  • S4FND | 103 | 103
  • S4FND | 104 | 104
  • SAP_BS_FND | 748 | 748
  • | SAPK-S4CLOUD_2008 |
  • S4CORE 101 | SAPK-10109INS4CORE |
  • S4FND 103 | SAPK-10304INS4FND |
  • S4FND 104 | SAPK-10402INS4FND |
  • S4FND 102 | SAPK-10207INS4FND |
  • SAP_BS_FND 748 | SAPK-74815INSAPBSFND |

Affected component

    CA-MDG-CMP
    Consolidation & Mass Processing

CVSS

Score: 7.7
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

PoC

Detailed vulnerability information added to RedRays Security Platform. Contact [email protected] for details.

URL

https://launchpad.support.sap.com/#/notes/2908560

TAGS

#Injection-attack
#blind-SQL-injection
#database-vulnerabilities
#&160-CVE-2020-6249

Explore More

Special offer for SAP Security Udemy course!

$ 9.99

Join “SAP Security Core Concepts and Security Administration” which is part of the Blackhat course series.