[ERPSCAN-14-013] SAP HANA metadata.xsjs – SQL injection

Application: SAP HANA
Versions Affected:
Vendor URL: http://www.sap.com
Bugs: SQL injection
Exploits: YES
Reported: 09.04.2014
Vendor response: 10.04.2014
Date of Public Advisory: 17.10.2014
Reference: SAP Security Note 2067972
Author: Dmitry Chastukhin (ERPScan)

SQL injection in SAP HANA. An attacker can use specially crafted inputs to modify database commands. This results in either retrieval of additional information or modification of the data processed by the system.

Business Risk
By exploiting this vulnerability, an internal attacker is able to change certain system configuration parameters which might lower the systems security level. Read or write access to other database data is not possible.


To prevent this issue as well as a plethora of other vulnerabilities that may affect your systems, ERPScan provides the following services: