CVE-2023-25617: SAP Cloud SDK for AI Python has OS Command Injection when Program Objects Execution is Enabled

March 14, 2023 (updated June 9, 2026)

SAP Business Object (Adaptive Job Server) - versions 420, 430, allows remote execution of arbitrary commands on Unix, when program objects execution is enabled, to authenticated users with scheduling rights, using the BI Launchpad, Central Management Console or a custom application based on the public java SDK. Programs could impact the confidentiality, integrity and availability of the system.

References

github.com/advisories/GHSA-xxhh-59gh-6ffx
github.com/pypa/advisory-database/tree/main/vulns/sap-ai-sdk-base/PYSEC-2023-315.yaml
launchpad.support.sap.com/
nvd.nist.gov/vuln/detail/CVE-2023-25617
www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html

Code Behaviors & Features

Detect and mitigate CVE-2023-25617 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →