cancel
Showing results for 
Search instead for 
Did you mean: 

About SAP NOTE# 2113333

Former Member
0 Kudos

SAP release note#2113333 said "An authenticated user can exploit specific commands in SAP ASE to elevate the user's privileges in the system"

The CVSS score: 8.5 is vary high.

Any idea about what kind of "specific commands" make ASE in trouble?

Accepted Solutions (1)

Accepted Solutions (1)

jayrijnbergen
Active Participant
0 Kudos

The note says:

An authenticated user can create special strings which manipulate the SQL statement being executed to elevate attacker's privileges in the system. The problem is caused by a SQL injection vulnerability.

It doesn't really matter which command is affected, the point is sql injection is possible to get elevated privileges, e.g. sa_role. (Note the comment: "An authenticated user", that means you must already have a valid Sybase login to abuse this bug)

If you want to be save, best to upgrade to a version as suggested in the note

This issue has been fixed in the following SAP ASE versions:

  • SAP ASE 16.0 GA PL05
  • SAP ASE 15.7 SP130
  • SAP ASE 15.5 ESD#5.4
  • SAP ASE 15.0.3 ESD#4.4

Answers (0)