Jp Perez-Etchegoyen

**Name of the Vulnerable Software and Affected Versions** SAP HANA versions prior to Revision 102 **Description** The SQL interface in SAP HANA does not limit the number of login attempts for the SYSTEM user when the password lock for system user option is not supported or is configured as "False". This makes it easier for remote attackers to bypass authentication via a brute force attack. **Recommendations** For SAP HANA versions prior to Revision 102, consider configuring the password lock for system user option to "True" to limit the number of login attempts for the SYSTEM user as a temporary workaround. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** SAP HANA DB version 1.00.091.00.1418659308 **Description** The issue concerns the SQL interface in SAP HANA DB, where it provides different error messages for failed login attempts depending on whether the username exists and is locked when the detailed error on connect option is not supported or is configured as "False". This allows remote attackers to enumerate database users via a series of login attempts. **Recommendations** For SAP HANA DB version 1.00.091.00.1418659309308, consider configuring the detailed error on connect option as "True" to prevent detailed error messages from being displayed for failed login attempts. Additionally, restrict access to the SQL interface to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.