SAP NetWeaver TH_GREP module - Code injection vulnerability (NEW)

Type erpscan
Reporter ERPScan
Modified 2011-03-14T00:00:00


Application: SAP NetWeaver
Versions Affected: SAP NetWeaver
Vendor URL:
Bugs:Command execution
Exploits: YES
Reported: 14.03.2011
Vendor response:16.03.2011
Date of Public Advisory:11.11.2011
CVSS: 6.0
Author: Alexey Tyurin

TH_GREP report is vulnerable for command execution vulnerability which is working with previous patch (note 1433101). Remote OS command execution is possible

Business Risk
A remote attacker or insider can send a malicious command to SAP NetWeaver server through the Internet or inside a company and conduct aт unauthorised execution of code on server side. With help of this access it is possible to obtain sensitive technical and business-related information stored in the vulnerable SAP system.


To prevent this issue as well as a plethora of other vulnerabilities that may affect your systems, ERPScan provides the following services: