PT-2015-2429 · Sap · Sap Hana Db
Fernando Russ
+1
·
Published
2015-10-15
·
Updated
2015-10-16
·
CVE-2015-7727
CVSS v2.0
6.5
Medium
| Vector | AV:N/AC:L/Au:S/C:P/I:P/A:P |
Name of the Vulnerable Software and Affected Versions
SAP HANA DB version 1.00.73.00.389160
Description
The issue concerns multiple SQL injection vulnerabilities in the Web-based Development Workbench of SAP HANA DB. These vulnerabilities allow remote authenticated users to execute arbitrary SQL commands. The vulnerabilities are related to unspecified vectors in the trace configuration page and the getSqlTraceConfiguration function.
Recommendations
For SAP HANA DB version 1.00.73.00.389160, consider restricting access to the trace configuration page and the getSqlTraceConfiguration function until a patch is available. As a temporary workaround, avoid using the getSqlTraceConfiguration function to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.
SQL injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Sap Hana Db