Skip links
Vahagn Vardanian

Vahagn Vardanian

Co-founder and CTO of RedRays

Potential disclosure of DB data in CL_BBP_PERSIST_EVENT_CONT, SAP security note 1478978

Description

A malicious user can exploit CL_BBP_PERSIST_EVENT_CONT and use specially crafted inputs to execute arbitrary database commands to retrieve, modify, or remove data persisted by the system.
The dynamic ‘where’-clause can be manipulated by the attacker to insert malicious code.
Affected Releases: SRM_SERVER 7.01; 7.0; 5.5; 5.0

Available fix and Supported packages

  • SRM_SERVER | 550 | 550
  • SRM_SERVER | 700 | 700
  • SRM_SERVER | 701 | 701
  • SRM_SERVER 550 | SAPKIBKT17 |
  • SRM_SERVER 701 | SAPK-70102INSRMSRV |
  • SRM_SERVER 700 | SAPKIBKV09 |
  • SRM_SERVER 550 | SAPKIBKT18 |

Affected component

    SRM-EBP-ALR
    Events and Alert Management

CVSS

Score: 0

PoC

Detailed vulnerability information added to RedRays Security Platform. Contact [email protected] for details.

URL

https://launchpad.support.sap.com/#/notes/1478978

TAGS

#SRM
#Supplier-Relationship-Management
#procurement
#E-Commerce
#Web
#business-to-business
#SAP-Business-to-Business-Procurement
#BBP
#business-to-business
#e-business
#Ebusiness
#Internet
#EBP
#EnterpriseBuyer
#Enterprise-Buyer-professional-edition
#SRM_SERVER
#security-vulnerability
#SQL-injection-vulnerability
#unsecure-database-access
#CL_BBP_PERSIST_EVENT_CONT

Explore More

Special offer for SAP Security Udemy course!

$ 9.99

Join “SAP Security Core Concepts and Security Administration” which is part of the Blackhat course series.