Login Sign Up

CVE-2023-33993

7.1 HIGH
SQL Injection

📋 TL;DR

This SQL injection vulnerability in SAP Business One's B1i module allows authenticated users with deep knowledge to craft malicious queries that can read or modify SQL data. Successful exploitation can compromise data confidentiality, integrity, and application availability. The vulnerability affects SAP Business One version 10.0.

💻 Affected Systems

Products:
  • SAP Business One
Versions: 10.0
Operating Systems: Windows
Default Config Vulnerable: ⚠️ Yes
Notes: Requires authenticated access to the B1i module; exploitation requires deep knowledge of the system.

📦 What is this software?

Business One by Sap

View all CVEs affecting Business One →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise allowing data theft, modification, or deletion, potentially leading to business disruption and data loss.

🟠

Likely Case

Unauthorized data access and modification by authenticated malicious insiders or attackers who have compromised legitimate credentials.

🟢

If Mitigated

Limited impact with proper input validation, parameterized queries, and least privilege database access controls in place.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires authentication and deep knowledge of the system, making it more likely to be exploited by insiders or sophisticated attackers.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Apply SAP Note 3337797

Vendor Advisory: https://me.sap.com/notes/3337797

Restart Required: Yes

Instructions:

1. Download and apply SAP Note 3337797 from the SAP Support Portal. 2. Restart the SAP Business One application and related services. 3. Verify the patch is applied by checking the version and testing for the vulnerability.

🔧 Temporary Workarounds

Implement Input Validation

all

Add server-side input validation to reject malicious SQL queries in the B1i module.

Restrict Database Permissions

all

Apply principle of least privilege to database accounts used by the B1i module.

🧯 If You Can't Patch

  • Implement network segmentation to isolate SAP Business One systems from untrusted networks.
  • Enhance monitoring and logging of database queries from the B1i module for suspicious activity.

🔍 How to Verify

Check if Vulnerable:

Check if SAP Business One version 10.0 is installed and if SAP Note 3337797 has not been applied.

Check Version:

Check SAP Business One version through the application interface or consult system documentation.

Verify Fix Applied:

Verify that SAP Note 3337797 is applied and test the B1i module with SQL injection test cases to ensure they are blocked.

📡 Detection & Monitoring

Log Indicators:

  • Unusual SQL query patterns in database logs from the B1i module
  • Multiple failed or complex queries from single authenticated sessions

Network Indicators:

  • Unusual network traffic patterns to the database from SAP Business One servers
  • SQL error messages in network traffic

SIEM Query:

source="database_logs" AND (query CONTAINS "UNION" OR query CONTAINS "SELECT *" OR query CONTAINS "DROP") AND source_ip="SAP_B1_server"

📊 Metadata

CVE ID: CVE-2023-33993
CVSS v3 Score: 7.1 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:H
CWE: CWE-89
Published: August 8, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-33993, you might also want to check these:

CVE-2024-8522 10.0

This vulnerability allows unauthenticated attackers to perform SQL injection attacks on WordPress si...

Same vulnerability type (CWE-89)
CVE-2024-13152 10.0

This SQL injection vulnerability in BSS Software's Mobuy Online Machinery Monitoring Panel allows at...

Same vulnerability type (CWE-89)
CVE-2021-42311 10.0

CVE-2021-42311 is a critical SQL injection vulnerability in Microsoft Defender for IoT that allows r...

Same vulnerability type (CWE-89)