Vulnerability Details CVE-2015-7727
Multiple SQL injection vulnerabilities in the Web-based Development Workbench in SAP HANA DB 1.00.73.00.389160 (NewDB100_REL) allow remote authenticated users to execute arbitrary SQL commands via unspecified vectors in the (1) trace configuration page or (2) getSqlTraceConfiguration function, aka SAP Security Note 2153898.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.006
EPSS Ranking 68.4%
CVSS Severity
CVSS v2 Score 6.5
References
- http://packetstormsecurity.com/files/133766/SAP-HANA-Trace-Configuration-SQL-Injection.html
- http://packetstormsecurity.com/files/133768/SAP-HANA-getSqlTraceConfiguration-SQL-Injection.html
- http://seclists.org/fulldisclosure/2015/Sep/115
- http://seclists.org/fulldisclosure/2015/Sep/117
- http://www.onapsis.com/research/security-advisories/SAP-HANA-Trace-configuration-SQL-injection
- https://www.onapsis.com/blog/analyzing-sap-security-notes-may-2015-edition
- https://www.onapsis.com/research/security-advisories/sap-hana-sql-injection-getsqltraceconfiguration-function
- http://packetstormsecurity.com/files/133766/SAP-HANA-Trace-Configuration-SQL-Injection.html
- http://packetstormsecurity.com/files/133768/SAP-HANA-getSqlTraceConfiguration-SQL-Injection.html
- http://seclists.org/fulldisclosure/2015/Sep/115
- http://seclists.org/fulldisclosure/2015/Sep/117
- http://www.onapsis.com/research/security-advisories/SAP-HANA-Trace-configuration-SQL-injection
- https://www.onapsis.com/blog/analyzing-sap-security-notes-may-2015-edition
- https://www.onapsis.com/research/security-advisories/sap-hana-sql-injection-getsqltraceconfiguration-function