[ERPSCAN-17-051] Log injection in SAP NetWeaver AS Java using basic auth

Application: SAP NetWeaver AS Java
Versions Affected: ENGINEAPI 7.10-7.50
Vendor URL: SAP
Bug: Log Injection
Reported: 17.05.2017
Vendor response: 18.05.2017
Date of Public Advisory: 14.11.2017
Reference: SAP Security Note 2485208
Author: Vahagn Vardanyan (ERPScan)


Class: Injection
Risk: Medium
Impact: An attacker receives the privilege to read sensitive data
Remotely Exploitable: Yes
Locally Exploitable: No

CVSS Information

CVSS v3 Base Score: 4.3 / 10
CVSS Base v3 Base Vector:

AV: Attack Vector (Related exploit range) Network (N)
AC: Attack Complexity (Required attack complexity) Low (L)
PR: Privileges Required (Level of privileges needed to exploit) Low (L)
UI: User Interaction (Required user participation) None (N)
S: Scope (Change in scope due to impact caused to components beyond the vulnerable component) Unchanged (U)
C: Impact to Confidentiality None (N)
I: Impact to Integrity Low (L)
A: Impact to AvailabilityNone (N)


User input data isn’t checked for CRLF characters, an attacker may forge entries in a log file.


An attacker can use a Log Injection vulnerability to inject arbitrary data in the audit log. A large amount of illegal data can complicate the analysis of the audit log. It also can lead to the rapid filling of a disk space and damage the event log.


ENGINEAPI 7.10-7.50


To correct this vulnerability, install SAP Security Note 2485208


The vulnerability is presented in any component using basic authorization. For example, with this PoC any information can be injected into C:\usr\sap\%SID%\J00\j2ee\cluster\server0\log\system\security_%%.%.log

Proof of Concept