SAP Cloud SDK for AI Python has OS Command Injection when Program Objects Execution is Enabled

GHSA-xxhh-59gh-6ffx · CVE-2023-25617 · PYSEC-2023-315

Published Mar 14, 2023 · Modified Jun 9, 2026

Description

SAP Business Object (Adaptive Job Server) - versions 420, 430, allows remote execution of arbitrary commands on Unix, when program objects execution is enabled, to authenticated users with scheduling rights, using the BI Launchpad, Central Management Console or a custom application based on the public java SDK. Programs could impact the confidentiality, integrity and availability of the system.

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2023-25617
WEB https://github.com/pypa/advisory-database/tree/main/vulns/sap-ai-sdk-base/PYSEC-2023-315.yaml
WEB https://launchpad.support.sap.com/#/notes/3283438
WEB https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html
PACKAGE https://www.sap.com/index.html

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes