Skip links

Potential disclosure and modification of code and data, SAP security note 1520781

Description

PRA contains code that permits the execution of arbitrary program code of the user#s choice.
A malicious user can therefore control the behavior of the system, or can potentially escalate privileges by executing malicious code, without having their own legitimate credentials.

A malicious user can exploit PRA(Production and revenue accounting) and use specially crafted inputs to modify data-base commands. This results in either the retrieval of additional information, or the modification of data persisted by the system.

Available fix and Supported packages

  • IS-OIL | 600 | 600
  • IS-OIL | 602 | 602
  • IS-OIL | 603 | 603
  • IS-PRA | 604 | 604
  • IS-PRA | 605 | 605
  • IS-OIL 600 | SAPK-60019INISOIL |
  • IS-OIL 602 | SAPK-60209INISOIL |
  • IS-OIL 603 | SAPK-60308INISOIL |
  • IS-PRA 604 | SAPK-60409INISPRA |
  • IS-PRA 605 | SAPK-60503INISPRA |

Affected component

    IS-OIL-PRA
    Production and Revenue Accounting

CVSS

Score: 0

Exploit

Exploit is not available.
For detailed information please contact the mail [email protected]

URL

https://launchpad.support.sap.com/#/notes/1520781

TAGS

#Security-Note
#Security-Issue
#Security-Problem
#Vulnerability
#ExploitIS-Oil
#industry-solution
#IS-OIL-PRA
#Oil-and-Gas-Upstream
#Production-and-Revenue-Accounting
#Backdoor
#injection
#run
#credentials
#SQL-injection
#database
#PDM.