Impact
Advisory sources associate CVE-2023-25617 / GHSA-xxhh-59gh-6ffx with SAP BusinessObjects Adaptive Job Server versions 420 and 430, where command execution can be possible on Unix when Program Object execution is enabled for authenticated users with scheduling rights [S1][S2]. A repository dependency match for sap-ai-sdk-base is useful patch-triage evidence, but it does not prove that the scanned application deploys SAP BusinessObjects, enables Program Object execution, grants scheduling rights to untrusted users, or exposes an exploitable command-execution path.
Affected dependency evidence
GitHub Advisory and OSV list the PyPI package sap-ai-sdk-base with affected versions through 3.3.0, while GitLab's advisory page also records versions up to 3.3.0 and notes that no solution is listed in that dependency database [S2][S3][S4]. PyPI currently shows later package releases, so remediation should follow SAP-supported guidance, a documented non-affected release, or the relevant SAP BusinessObjects note rather than assuming that any single source file proves production safety [S5][S6].
Covered by FixVibe
FixVibe GitHub repo scans can now flag Python dependency evidence for sap-ai-sdk-base versions through 3.3.0 in manifests and lockfiles. Findings are reported as high-severity Version-based advisory evidence with the file path, version or constraint, advisory IDs, source quality, confidence, and the runtime boundary that remains unverified.
FixVibe does not run Python, import or execute sap-ai-sdk-base, connect to SAP BusinessObjects, authenticate to BI Launchpad or Central Management Console, schedule Program Objects, invoke SAP management APIs, send command-injection input, prove OS command execution, verify Program Object execution is enabled, verify authenticated scheduling rights, or confirm that the repository dependency is the runtime serving production traffic.
Fix guidance
Move sap-ai-sdk-base off affected versions using SAP-supported guidance or a documented non-affected release, regenerate the active Python lockfile or constraints file, rebuild every API client, worker, notebook, CI job, virtualenv, package cache, or container image that installs it, and rerun the FixVibe GitHub repo scan. Where SAP BusinessObjects is deployed, apply the relevant SAP remediation, review Program Object execution settings, and limit scheduling rights to trusted operators. Use benign dependency-tree, runtime-version, SAP patch/configuration, and application smoke tests only.
