CVE-2024-48733

Name of the Vulnerable Software and Affected Versions SAS Studio version 9.4

Description A SQL injection issue exists in the /SASStudio/sasexec/sessions/{sessionID}/sql endpoint of SAS Studio, allowing a remote attacker to execute arbitrary SQL commands via the POST body request. This issue is disputed by the vendor as SQL statement execution is intended for authorized users.

Recommendations For SAS Studio version 9.4, consider restricting access to the /SASStudio/sasexec/sessions/{sessionID}/sql endpoint to minimize the risk of exploitation. As a temporary workaround, limit the execution of SQL commands to only necessary and authorized users until a patch or official guidance is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.