#VU36779 SQL injection in MaxDB
Vulnerability identifier: #VU36779
Vulnerability risk: Medium
CVSSv3.1: 6.3 [CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID:
CWE-ID:
CWE-89
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
MaxDB
Server applications /
Database software
Vendor: SAP
Description
The vulnerability allows a remote privileged user to execute arbitrary code.
SAP MaxDB (liveCache), versions 7.8 and 7.9, allows an attacker who gets DBM operator privileges to execute crafted database queries and therefore read, modify or delete sensitive data from database.
Mitigation
Install update from vendor's website.
Vulnerable software versions
MaxDB: 7.8 - 7.9
External links
http://www.securityfocus.com/bid/105063
http://launchpad.support.sap.com/#/notes/2660005
http://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=499352742
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
