SQL injection in MaxDB - CVE-2018-2450
Published: August 14, 2018 / Updated: August 8, 2020
Vulnerability identifier: #VU36779
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2018-2450
CWE-ID: CWE-89
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: SAP
Affected software:
MaxDB
MaxDB
Detailed vulnerability description
The vulnerability allows a remote privileged user to execute arbitrary code.
SAP MaxDB (liveCache), versions 7.8 and 7.9, allows an attacker who gets DBM operator privileges to execute crafted database queries and therefore read, modify or delete sensitive data from database.
How to mitigate CVE-2018-2450
Install update from vendor's website.