Application: SAP Hybris E-commerce
Vendor URL: SAP
Bugs: SQL Injection
Reported: 01.02.2016
Vendor response: 02.02.2016
Date of Public Advisory: 08.11.2016
Reference: SAP replied “Due to the fact that this issue is inside Hybris cloud we don’t provide a security note. Please mention inside your upcoming advisories that the fix is already implemented and that our Customers are secure.”
Author: Aleksey Tyurin (ERPScan)


VirtualJDBC is an additional extension for SAP Hybris E-commerce. It is a kind of proxy for accessing RDBMS over HTTP.

So, there is an opportunity to run any SQL query in the db remotely.

The VirtualJDBC servlet requires a valid credential, but it doesn’t have any protection against brute-force attacks.

Business risk

An attacker can use an SQL injection vulnerability with a help of specially crafted SQL queries. He can read and modify sensitive information from a database, execute administration operations on a database, destroy data or make it unavailable.