SAP NetWeaver AS JAVA 'getUserUddiElements' SQL Injection Vulnerability

SAP NetWeaver is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

An attacker can exploit this issue to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

SAP NetWeaver 7.40 is vulnerable; other versions may also be affected.

Information

Bugtraq ID: 95364
Class: Input Validation Error
CVE: CVE-2017-7717

Remote: Yes
Local: No
Published: Jan 10 2017 12:00AM
Updated: Apr 17 2017 12:06PM
Credit: Vahagn Vardanyan (ERPScan)
Vulnerable: SAP NetWeaver 7.40

Not Vulnerable:

References:

• SAP Homepage (SAP)
  
• [ERPSCAN-17-003] SAP NetWeaver 7.4 getUserUddiElements SQL injection (SAP)
  
• SAP Security Note 2356504 (SAP)
  

Source: www.securityfocus.com