Vulnerability Details CVE-2018-2380
SAP CRM, 7.01, 7.02,7.30, 7.31, 7.33, 7.54, allows an attacker to exploit insufficient validation of path information provided by users, thus characters representing "traverse to parent directory" are passed through to the file APIs.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.453
EPSS Ranking 97.5%
CVSS Severity
CVSS v3 Score 6.6
CVSS v2 Score 6.5
Proposed Action
SAP Customer Relationship Management (CRM) contains a path traversal vulnerability that allows an attacker to exploit insufficient validation of path information provided by users.
Ransomware Campaign
Known
References
- http://www.securityfocus.com/bid/103001
- https://blogs.sap.com/2018/02/13/sap-security-patch-day-february-2018/
- https://github.com/erpscanteam/CVE-2018-2380
- https://launchpad.support.sap.com/#/notes/2547431
- https://www.exploit-db.com/exploits/44292/
- http://www.securityfocus.com/bid/103001
- https://blogs.sap.com/2018/02/13/sap-security-patch-day-february-2018/
- https://github.com/erpscanteam/CVE-2018-2380
- https://launchpad.support.sap.com/#/notes/2547431
- https://www.exploit-db.com/exploits/44292/
Products affected by CVE-2018-2380
-
cpe:2.3:a:sap:customer_relationship_management:7.01
-
cpe:2.3:a:sap:customer_relationship_management:7.02
-
cpe:2.3:a:sap:customer_relationship_management:7.30
-
cpe:2.3:a:sap:customer_relationship_management:7.31
-
cpe:2.3:a:sap:customer_relationship_management:7.33
-
cpe:2.3:a:sap:customer_relationship_management:7.54