Potential disclosure of DB data in CL_BBP_PERSIST_EVENT_CONT, SAP security note 1478978

Description

A malicious user can exploit CL_BBP_PERSIST_EVENT_CONT and use specially crafted inputs to execute arbitrary database commands to retrieve, modify, or remove data persisted by the system.
The dynamic ‘where’-clause can be manipulated by the attacker to insert malicious code.
Affected Releases: SRM_SERVER 7.01; 7.0; 5.5; 5.0

Available fix and Supported packages

SRM_SERVER | 550 | 550
SRM_SERVER | 700 | 700
SRM_SERVER | 701 | 701
SRM_SERVER 550 | SAPKIBKT17 |
SRM_SERVER 701 | SAPK-70102INSRMSRV |
SRM_SERVER 700 | SAPKIBKV09 |
SRM_SERVER 550 | SAPKIBKT18 |

Affected component

CVSS

Score: 0

PoC

Detailed vulnerability information added to RedRays Security Platform. Contact [email protected] for details.

URL

https://launchpad.support.sap.com/#/notes/1478978

Vahagn Vardanian

Potential disclosure of DB data in CL_BBP_PERSIST_EVENT_CONT, SAP security note 1478978

Description

Available fix and Supported packages

Affected component

CVSS

PoC

URL

TAGS

Explore More

SAP Security Patch Day June 2026

RedRays ABAP Security Challenge 2026

SAP Security Patch Day – May 2026

SAP npm Packages Hijacked to Steal Cloud Credentials and Weaponize AI Coding Agents