CVE-2023-36922 : Due to programming error in function module and report, IS-OIL component in SAP

Due to programming error in function module and report, IS-OIL component in SAP ECC and SAP S/4HANA allows an authenticated attacker to inject an arbitrary operating system command into an unprotected parameter in a common (default) extension. On successful exploitation, the attacker can read or modify the system data as well as shut down the system.

Published 2023-07-11 03:15:10

Updated 2023-12-09 17:15:44

Source SAP SE

View at NVD, CVE.org

Products affected by CVE-2023-36922

SAP » Netweaver » Version: 600
cpe:2.3:a:sap:netweaver:600:*:*:*:*:*:*:*
Matching versions
SAP » Netweaver » Version: 602
cpe:2.3:a:sap:netweaver:602:*:*:*:*:*:*:*
Matching versions
SAP » Netweaver » Version: 603
cpe:2.3:a:sap:netweaver:603:*:*:*:*:*:*:*
Matching versions
SAP » Netweaver » Version: 604
cpe:2.3:a:sap:netweaver:604:*:*:*:*:*:*:*
Matching versions
SAP » Netweaver » Version: 605
cpe:2.3:a:sap:netweaver:605:*:*:*:*:*:*:*
Matching versions
SAP » Netweaver » Version: 606
cpe:2.3:a:sap:netweaver:606:*:*:*:*:*:*:*
Matching versions
SAP » Netweaver » Version: 617
cpe:2.3:a:sap:netweaver:617:*:*:*:*:*:*:*
Matching versions
SAP » Netweaver » Version: 618
cpe:2.3:a:sap:netweaver:618:*:*:*:*:*:*:*
Matching versions
SAP » Netweaver » Version: 800
cpe:2.3:a:sap:netweaver:800:*:*:*:*:*:*:*
Matching versions
SAP » Netweaver » Version: 802
cpe:2.3:a:sap:netweaver:802:*:*:*:*:*:*:*
Matching versions
SAP » Netweaver » Version: 803
cpe:2.3:a:sap:netweaver:803:*:*:*:*:*:*:*
Matching versions
SAP » Netweaver » Version: 804
cpe:2.3:a:sap:netweaver:804:*:*:*:*:*:*:*
Matching versions
SAP » Netweaver » Version: 805
cpe:2.3:a:sap:netweaver:805:*:*:*:*:*:*:*
Matching versions
SAP » Netweaver » Version: 806
cpe:2.3:a:sap:netweaver:806:*:*:*:*:*:*:*
Matching versions
SAP » Netweaver » Version: 807
cpe:2.3:a:sap:netweaver:807:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2023-36922

EPSS FAQ

0.13%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 34 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2023-36922

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
9.1	CRITICAL	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H	2.3	6.0	SAP SE
Attack Vector: Network Attack Complexity: Low Privileges Required: High User Interaction: None Scope: Changed Confidentiality: High Integrity: High Availability: High
8.8	HIGH	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H	2.8	5.9	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High

CWE ids for CVE-2023-36922

CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
Assigned by:
- cna@sap.com (Secondary)
- nvd@nist.gov (Primary)

References for CVE-2023-36922

https://me.sap.com/notes/3350297

SAP for Me: Sign In
Permissions Required
https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html

SAP Patch Day Blog
Vendor Advisory

CVEs referencing this url

Jump to

Vulnerability Details : CVE-2023-36922

Products affected by CVE-2023-36922

Exploit prediction scoring system (EPSS) score for CVE-2023-36922

CVSS scores for CVE-2023-36922

CWE ids for CVE-2023-36922

References for CVE-2023-36922