CVE-2018-2380
6.6
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L
Summary
SAP CRM, 7.01, 7.02,7.30, 7.31, 7.33, 7.54, allows an attacker to exploit insufficient validation of path information provided by users, thus characters representing "traverse to parent directory" are passed through to the file APIs.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| SAP SE | SAP CRM | 7.01 | affected |
| SAP SE | SAP CRM | 7.02 | affected |
| SAP SE | SAP CRM | 7.30 | affected |
| SAP SE | SAP CRM | 7.31 | affected |
| SAP SE | SAP CRM | 7.33 | affected |
| SAP SE | SAP CRM | 7.54 | affected |
Weaknesses
- Directory/Path Traversal
ADP Enrichment
CVE Program Container
Additional References
- https://github.com/erpscanteam/CVE-2018-2380
- https://www.exploit-db.com/exploits/44292/
- https://launchpad.support.sap.com/#/notes/2547431
- http://www.securityfocus.com/bid/103001
- https://blogs.sap.com/2018/02/13/sap-security-patch-day-february-2018/
CISA ADP Vulnrichment
- SSVC:
- Exploitation: active
- Automatable: no
- Technical Impact: partial
Additional References
References
- https://github.com/erpscanteam/CVE-2018-2380
- https://www.exploit-db.com/exploits/44292/
- https://launchpad.support.sap.com/#/notes/2547431
- http://www.securityfocus.com/bid/103001
- https://blogs.sap.com/2018/02/13/sap-security-patch-day-february-2018/
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.