Skip links

CVE-2020-6249 SQL Injection vulnerability in SAP Master Data Governance(MDG), SAP security note 2908560

Description

The use of an admin backend report from within MDG allows an attacker to execute crafted database queries, exposing the backend database.

Some well-known impacts of SQL Injection vulnerability are –

  • Read sensitive data
  • Execute admin level operations on database

Available fix and Supported packages

  • S4CORE | 101 | 101
  • S4FND | 102 | 102
  • S4FND | 103 | 103
  • S4FND | 104 | 104
  • SAP_BS_FND | 748 | 748
  • | SAPK-S4CLOUD_2008 |
  • S4CORE 101 | SAPK-10109INS4CORE |
  • S4FND 103 | SAPK-10304INS4FND |
  • S4FND 104 | SAPK-10402INS4FND |
  • S4FND 102 | SAPK-10207INS4FND |
  • SAP_BS_FND 748 | SAPK-74815INSAPBSFND |

Affected component

    CA-MDG-CMP
    Consolidation & Mass Processing

CVSS

Score: 7.7
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

Exploit

Exploit is not available.
For detailed information please contact the mail [email protected]

URL

https://launchpad.support.sap.com/#/notes/2908560

TAGS

#Injection-attack
#blind-SQL-injection
#database-vulnerabilities
#&160-CVE-2020-6249