Vulnerabilities (CVE)

Join the Common Vulnerabilities and Exposures (CVE) community and start to get notified about new vulnerabilities.

Filtered by vendor Sap Subscribe
Filtered by product Hana
Total 38 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2021-21484 1 Sap 1 Hana 2021-03-16 6.8 MEDIUM 9.8 CRITICAL
LDAP authentication in SAP HANA Database version 2.0 can be bypassed if the attached LDAP directory server is configured to enable unauthenticated bind.
CVE-2018-2497 1 Sap 1 Hana 2020-08-24 4.0 MEDIUM 2.7 LOW
The security audit log of SAP HANA, versions 1.0 and 2.0, does not log SELECT events if these events are part of a statement with the syntax CREATE TABLE <table_name> AS SELECT.
CVE-2018-2362 1 Sap 1 Hana 2020-08-24 5.0 MEDIUM 5.3 MEDIUM
A remote unauthenticated attacker, SAP HANA 1.00 and 2.00, could send specially crafted SOAP requests to the SAP Startup Service and disclose information such as the platform's hostname.
CVE-2018-2369 1 Sap 1 Hana 2020-08-24 5.0 MEDIUM 5.3 MEDIUM
Under certain conditions SAP HANA, 1.00, 2.00, allows an unauthenticated attacker to access information which would otherwise be restricted. An attacker can misuse the authentication function of the SAP HANA server on its SQL interface and disclose 8 bytes of the server process memory. The attacker cannot influence or predict the location of the leaked memory.
CVE-2019-0357 1 Sap 1 Hana 2020-08-24 7.2 HIGH 6.7 MEDIUM
The administrator of SAP HANA database, before versions 1.0 and 2.0, can misuse HANA to execute commands with operating system "root" privileges.
CVE-2018-2402 1 Sap 1 Hana 2019-10-09 3.5 LOW 8.4 HIGH
In systems using the optional capture & replay functionality of SAP HANA, 1.00 and 2.00, (see SAP Note 2362820 for more information about capture & replay), user credentials may be stored in clear text in the indexserver trace files of the control system. An attacker with the required authorizations on the control system may be able to access the user credentials and gain unauthorized access to data in the captured or target system.
CVE-2019-0284 1 Sap 1 Hana 2019-04-11 3.6 LOW 6.0 MEDIUM
SLD Registration in SAP HANA (fixed in versions 1.0, 2.0) does not sufficiently validate an XML document accepted from an untrusted source. The attacker can call SLDREG with an XML file containing a reference to an XML External Entity (XXE). This can cause SLDREG to, for example, continuously loop, read arbitrary files and even send local files.
CVE-2016-1929 1 Sap 1 Hana 2018-12-10 8.5 HIGH 9.3 CRITICAL
The XS engine in SAP HANA allows remote attackers to spoof log entries in trace files and consequently cause a denial of service (disk consumption and process crash) via a crafted HTTP request, related to an unspecified debug function, aka SAP Security Note 2241978.
CVE-2016-1928 1 Sap 1 Hana 2018-12-10 7.5 HIGH 9.8 CRITICAL
Buffer overflow in the XS engine (hdbxsengine) in SAP HANA allows remote attackers to cause a denial of service or execute arbitrary code via a crafted HTTP request, related to JSON, aka SAP Security Note 2241978.
CVE-2014-8588 1 Sap 1 Hana 2018-12-10 7.5 HIGH N/A
SQL injection vulnerability in metadata.xsjs in SAP HANA 1.00.60.379371 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
CVE-2016-4018 1 Sap 1 Hana 2018-12-10 7.5 HIGH 7.3 HIGH
The Data Provisioning Agent (aka DP Agent) in SAP HANA does not properly restrict access to service functionality, which allows remote attackers to obtain sensitive information, gain privileges, and conduct unspecified other attacks via unspecified vectors, aka SAP Security Note 2262742.
CVE-2015-7986 1 Sap 1 Hana 2018-12-10 7.5 HIGH N/A
The index server (hdbindexserver) in SAP HANA 1.00.095 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via an HTTP request, aka SAP Security Note 2197428.
CVE-2016-4017 1 Sap 1 Hana 2018-12-10 5.0 MEDIUM 7.5 HIGH
The Data Provisioning Agent (aka DP Agent) in SAP HANA allows remote attackers to cause a denial of service (process crash) via unspecified vectors, aka SAP Security Note 2262710.
CVE-2018-2465 1 Sap 1 Hana 2018-11-20 5.0 MEDIUM 7.5 HIGH
SAP HANA (versions 1.0 and 2.0) Extended Application Services classic model OData parser does not sufficiently validate XML. By exploiting, an unauthorized hacker can cause the database server to crash.
CVE-2015-3995 1 Sap 1 Hana 2018-10-09 4.0 MEDIUM N/A
SAP HANA DB 1.00.73.00.389160 (NewDB100_REL) allows remote authenticated users to read arbitrary files via an IMPORT FROM SQL statement, aka SAP Security Note 2109565.
CVE-2015-3994 1 Sap 1 Hana 2018-10-09 4.0 MEDIUM N/A
The grant.xsfunc application in testApps/grantAccess/ in the XS Engine in SAP HANA DB 1.00.73.00.389160 (NewDB100_REL) allows remote authenticated users to spoof log entries via a crafted request, aka SAP Security Note 2109818.
CVE-2015-2072 1 Sap 1 Hana 2018-10-09 4.3 MEDIUM N/A
Multiple cross-site scripting (XSS) vulnerabilities in SAP HANA 73 (1.00.73.00.389160) and HANA Developer Edition 80 (1.00.80.00.391861) allow remote attackers to inject arbitrary web script or HTML via unspecified vectors to (1) ide/core/plugins/editor/templates/trace/hanaTraceDetailService.xsjs or (2) xs/ide/editor/templates/trace/hanaTraceDetailService.xsjs, aka SAP Note 2069676.
CVE-2014-8314 1 Sap 1 Hana 2018-10-09 4.3 MEDIUM N/A
Multiple cross-site scripting (XSS) vulnerabilities in SAP HANA Developer Edition Revision 70 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors to (1) epm/admin/DataGen.xsjs or (2) epm/services/multiply.xsjs in the democontent.
CVE-2014-8313 1 Sap 1 Hana 2018-10-09 6.0 MEDIUM N/A
Eval injection in ide/core/base/server/net.xsjs in the Developer Workbench in SAP HANA allows remote attackers to execute arbitrary XSJX code via unspecified vectors.
CVE-2014-5172 1 Sap 1 Hana 2018-10-09 4.3 MEDIUM N/A
Multiple cross-site scripting (XSS) vulnerabilities in the XS Administration Tools in SAP HANA allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.