[ERPSCAN-14-013] SAP HANA metadata.xsjs – SQL injection
Application: SAP HANA
Versions Affected: 1.00.60.379371
Vendor URL: http://www.sap.com
Bugs: SQL injection
Vendor response: 10.04.2014
Date of Public Advisory: 17.10.2014
Reference: SAP Security Note 2067972
Author: Dmitry Chastukhin (ERPScan)
SQL injection in SAP HANA. An attacker can use specially crafted inputs to modify database commands. This results in either retrieval of additional information or modification of the data processed by the system.
By exploiting this vulnerability, an internal attacker is able to change certain system configuration parameters which might lower the systems security level. Read or write access to other database data is not possible.
To prevent this issue as well as a plethora of other vulnerabilities that may affect your systems, ERPScan provides the following services: