on 01-26-2015 7:01 AM
SAP release note#2113333 said "An authenticated user can exploit specific commands in SAP ASE to elevate the user's privileges in the system"
The CVSS score: 8.5 is vary high.
Any idea about what kind of "specific commands" make ASE in trouble?
The note says:
An authenticated user can create special strings which manipulate the SQL statement being executed to elevate attacker's privileges in the system. The problem is caused by a SQL injection vulnerability.
It doesn't really matter which command is affected, the point is sql injection is possible to get elevated privileges, e.g. sa_role. (Note the comment: "An authenticated user", that means you must already have a valid Sybase login to abuse this bug)
If you want to be save, best to upgrade to a version as suggested in the note
This issue has been fixed in the following SAP ASE versions:
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
88 | |
23 | |
11 | |
9 | |
8 | |
5 | |
5 | |
5 | |
5 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.