CVE-2015-7725: SQL Injection
First published: Thu Oct 15 2015(Updated: )
Multiple SQL injection vulnerabilities in the Web-based Development Workbench in SAP HANA DB 1.00.091.00.1418659308 allow remote authenticated users to execute arbitrary SQL commands via the (1) remoteSourceName in the dropCredentials function or unspecified vectors in the (2) setTraceLevelsForXsApps, (3) _modifyUser, or (4) _newUser function, aka SAP Security Notes 2153898 and 2153765.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| SAP HANA Database | =1.00.091.00 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://packetstormsecurity.com/files/133761/SAP-HANA-_modifyUser-SQL-Injection.html
- http://packetstormsecurity.com/files/133762/SAP-HANA-_newUser-SQL-Injection.html
- http://packetstormsecurity.com/files/133764/SAP-HANA-setTraceLevelsForXsApps-SQL-Injection.html
- http://packetstormsecurity.com/files/133769/SAP-HANA-Drop-Credentials-SQL-Injection.html
- http://seclists.org/fulldisclosure/2015/Sep/110
- http://seclists.org/fulldisclosure/2015/Sep/111
- http://seclists.org/fulldisclosure/2015/Sep/113
- http://seclists.org/fulldisclosure/2015/Sep/118
- https://www.onapsis.com/blog/analyzing-sap-security-notes-may-2015-edition
- https://www.onapsis.com/research/security-advisories/sap-hana-drop-credentials-sql-injection
- https://www.onapsis.com/research/security-advisories/sap-hana-sql-injection-modifyuser
- https://www.onapsis.com/research/security-advisories/sap-hana-sql-injection-newuser
- https://www.onapsis.com/research/security-advisories/sap-sql-injection-settracelevelsforxsapps
Frequently Asked Questions
What is the severity of CVE-2015-7725?
CVE-2015-7725 is classified as a high severity SQL injection vulnerability.
How do I fix CVE-2015-7725?
To fix CVE-2015-7725, update your SAP HANA DB to the latest version that patches this vulnerability.
Who is affected by CVE-2015-7725?
CVE-2015-7725 affects remote authenticated users of SAP HANA DB version 1.00.091.00.
What are the consequences of CVE-2015-7725?
The consequences of CVE-2015-7725 can include unauthorized execution of arbitrary SQL commands.
Is CVE-2015-7725 easy to exploit?
CVE-2015-7725 can be exploited relatively easily by authenticated users due to improper input validation.
- agent/type
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/references
- agent/severity
- agent/last-modified-date
- agent/weakness
- agent/author
- agent/description
- agent/first-publish-date
- agent/event
- agent/source
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/sap
- canonical/sap hana database
- version/sap hana database/1.00.091.00