CVE-2023-36922

CRITICAL

SAP ECC/S/4HANA - Command Injection

Title source: llm

Description

Due to programming error in function module and report, IS-OIL component in SAP ECC and SAP S/4HANA allows an authenticated attacker to inject an arbitrary operating system command into an unprotected parameter in a common (default) extension. On successful exploitation, the attacker can read or modify the system data as well as shut down the system.

References (2)

Core 2

Core References

Permissions Required

https://me.sap.com/notes/3350297

Vendor Advisory

https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html

Scores

CVSS v3 9.1

EPSS 0.0022

EPSS Percentile 44.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Details

CWE

CWE-78

Status published

Products (15)

sap/netweaver 600

sap/netweaver 602

sap/netweaver 603

sap/netweaver 604

sap/netweaver 605

sap/netweaver 606

sap/netweaver 617

sap/netweaver 618

sap/netweaver 800

sap/netweaver 802

... and 5 more

Published Jul 11, 2023

Tracked Since Feb 18, 2026