SAP S/4HANA SQL Injection Vulnerability in Enterprise Search for ABAP

A SQL injection vulnerability has been identified in SAP S/4HANA, specifically within the Enterprise Search for ABAP component. This vulnerability allows authenticated attackers to inject malicious SQL statements through user-controlled input. The application concatenates this input into SQL queries without proper validation or sanitization, enabling attackers to access sensitive database information and potentially crash the application. This issue significantly impacts the application's confidentiality and availability, while integrity remains unaffected.

Impact

Exploitation of this vulnerability could lead to unauthorized access to sensitive database information, with a possibility of crashing the application.

Remediation

Users are advised to consult the SAP Security Notes for guidance on applying necessary patches. SAP Security Notes can be accessed through the SAP for Me platform, specifically on the SAP Security Patch Day.