Security News > 2020 > June > Newly Patched SAP ASE Flaws Could Let Attackers Hack Database Servers
A new set of critical vulnerabilities uncovered in SAP's Sybase database software can grant unprivileged attackers complete control over a targeted database and even the underlying operating system in certain scenarios.
A second vulnerability concerns ASE Cockpit, a web-based administrative console that's used for monitoring the status and availability of ASE servers.
Two other flaws allows an authenticated user to execute crafted database queries to elevate their privileges via SQL injection, permitting a user with no special privileges to gain database administrator access.
In the latter case, an attacker-controlled ASE database dump is altered with malicious data before loading it into a target ASE server.
Besides these six flaws in Adaptive Server, SAP has also released critical security patches for ABAP application server, Business Client, BusinessObjects, Master Data Governance, Plant Connectivity, NetWeaver, and SAP Identity Management software as part of its May 2020 batch of patch release.