{
  "id": "CVE-2023-36922",
  "sourceIdentifier": "cna@sap.com",
  "published": "2023-07-11T03:15:10.357",
  "lastModified": "2023-12-09T17:15:44.150",
  "vulnStatus": "Modified",
  "descriptions": [
    {
      "lang": "en",
      "value": "Due to programming error in function module and report, IS-OIL component in SAP ECC and SAP S/4HANA allows an authenticated attacker to inject an arbitrary operating system command into an unprotected parameter in a common (default) extension. \u00a0On successful exploitation, the attacker can read or modify the system data as well as shut down the system.\n\n"
    }
  ],
  "metrics": {
    "cvssMetricV31": [
      {
        "source": "nvd@nist.gov",
        "type": "Primary",
        "cvssData": {
          "version": "3.1",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
          "attackVector": "NETWORK",
          "attackComplexity": "LOW",
          "privilegesRequired": "LOW",
          "userInteraction": "NONE",
          "scope": "UNCHANGED",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "availabilityImpact": "HIGH",
          "baseScore": 8.8,
          "baseSeverity": "HIGH"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 5.9
      },
      {
        "source": "cna@sap.com",
        "type": "Secondary",
        "cvssData": {
          "version": "3.1",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
          "attackVector": "NETWORK",
          "attackComplexity": "LOW",
          "privilegesRequired": "HIGH",
          "userInteraction": "NONE",
          "scope": "CHANGED",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "availabilityImpact": "HIGH",
          "baseScore": 9.1,
          "baseSeverity": "CRITICAL"
        },
        "exploitabilityScore": 2.3,
        "impactScore": 6.0
      }
    ]
  },
  "weaknesses": [
    {
      "source": "nvd@nist.gov",
      "type": "Primary",
      "description": [
        {
          "lang": "en",
          "value": "CWE-78"
        }
      ]
    },
    {
      "source": "cna@sap.com",
      "type": "Secondary",
      "description": [
        {
          "lang": "en",
          "value": "CWE-78"
        }
      ]
    }
  ],
  "configurations": [
    {
      "nodes": [
        {
          "operator": "OR",
          "negate": false,
          "cpeMatch": [
            {
              "vulnerable": true,
              "criteria": "cpe:2.3:a:sap:netweaver:600:*:*:*:*:*:*:*",
              "matchCriteriaId": "BDC771C8-70C7-4EA4-BF13-9153175F652F"
            },
            {
              "vulnerable": true,
              "criteria": "cpe:2.3:a:sap:netweaver:602:*:*:*:*:*:*:*",
              "matchCriteriaId": "D95174DD-6513-469F-911D-61FEF490BF44"
            },
            {
              "vulnerable": true,
              "criteria": "cpe:2.3:a:sap:netweaver:603:*:*:*:*:*:*:*",
              "matchCriteriaId": "A78F0A5A-514B-49C6-82E1-788049D4624A"
            },
            {
              "vulnerable": true,
              "criteria": "cpe:2.3:a:sap:netweaver:604:*:*:*:*:*:*:*",
              "matchCriteriaId": "92CF95AB-7222-4BB9-A01B-CC9BB0548DBE"
            },
            {
              "vulnerable": true,
              "criteria": "cpe:2.3:a:sap:netweaver:605:*:*:*:*:*:*:*",
              "matchCriteriaId": "8941EEEA-F588-419D-A72C-177A669D450B"
            },
            {
              "vulnerable": true,
              "criteria": "cpe:2.3:a:sap:netweaver:606:*:*:*:*:*:*:*",
              "matchCriteriaId": "94616B3E-ADE0-45E2-A3B8-B545E7E0BB0F"
            },
            {
              "vulnerable": true,
              "criteria": "cpe:2.3:a:sap:netweaver:617:*:*:*:*:*:*:*",
              "matchCriteriaId": "345E8B05-AE80-401D-895D-918136E5D738"
            },
            {
              "vulnerable": true,
              "criteria": "cpe:2.3:a:sap:netweaver:618:*:*:*:*:*:*:*",
              "matchCriteriaId": "6B5038E3-5515-41C5-8C89-D839D5AE60DF"
            },
            {
              "vulnerable": true,
              "criteria": "cpe:2.3:a:sap:netweaver:800:*:*:*:*:*:*:*",
              "matchCriteriaId": "4BE09533-102E-492F-ACAE-5B959885EE45"
            },
            {
              "vulnerable": true,
              "criteria": "cpe:2.3:a:sap:netweaver:802:*:*:*:*:*:*:*",
              "matchCriteriaId": "70FA0AC8-D377-4800-9365-2EAD15C108C9"
            },
            {
              "vulnerable": true,
              "criteria": "cpe:2.3:a:sap:netweaver:803:*:*:*:*:*:*:*",
              "matchCriteriaId": "364A7BFE-3EAE-4897-B198-BEE1DCEB2163"
            },
            {
              "vulnerable": true,
              "criteria": "cpe:2.3:a:sap:netweaver:804:*:*:*:*:*:*:*",
              "matchCriteriaId": "2A119858-00D2-44CA-9C9D-9BEAFC8BD3CD"
            },
            {
              "vulnerable": true,
              "criteria": "cpe:2.3:a:sap:netweaver:805:*:*:*:*:*:*:*",
              "matchCriteriaId": "5781D666-9439-4D4D-A0F6-DDA6763439CE"
            },
            {
              "vulnerable": true,
              "criteria": "cpe:2.3:a:sap:netweaver:806:*:*:*:*:*:*:*",
              "matchCriteriaId": "19188AD7-2B5F-48E9-81B2-30A60F009432"
            },
            {
              "vulnerable": true,
              "criteria": "cpe:2.3:a:sap:netweaver:807:*:*:*:*:*:*:*",
              "matchCriteriaId": "5C4EDC18-FBD1-473C-82F8-940097CE8C1C"
            }
          ]
        }
      ]
    }
  ],
  "references": [
    {
      "url": "https://me.sap.com/notes/3350297",
      "source": "cna@sap.com",
      "tags": [
        "Permissions Required"
      ]
    },
    {
      "url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html",
      "source": "cna@sap.com",
      "tags": [
        "Vendor Advisory"
      ]
    }
  ]
}