CVE-2018-2380 is a vulnerability in SAP Customer Relationship Management
Published on March 1, 2018

SAP CRM, 7.01, 7.02,7.30, 7.31, 7.33, 7.54, allows an attacker to exploit insufficient validation of path information provided by users, thus characters representing "traverse to parent directory" are passed through to the file APIs.

Vendor Advisory NVD

Known Exploited Vulnerability

This SAP NetWeaver AS JAVA CRM Remote Code Execution Vulnerability is part of CISA's list of Known Exploited Vulnerabilities. SAP CRM, 7.01, 7.02,7.30, 7.31, 7.33, 7.54, allows an attacker to exploit insufficient validation of path information provided by users, thus characters representing "traverse to parent directory" are passed through to the file APIs.

The following remediation steps are recommended / required by May 3, 2022: Apply updates per vendor instructions.

Vulnerability Analysis

CVE-2018-2380 is exploitable with network access, and requires user privileges. This vulnerability is considered to have a low attack complexity. It has an exploitability score of 2.3 out of four. The potential impact of an exploit of this vulnerability is considered to be low. considered to have a small impact on confidentiality and integrity and availability.

What is a Directory traversal Vulnerability?

The software uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the software does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

CVE-2018-2380 has been classified to as a Directory traversal vulnerability or weakness.

Products Associated with CVE-2018-2380

You can be notified by stack.watch whenever vulnerabilities like CVE-2018-2380 are published in these products:

SAP Customer Relationship Management

What versions of Customer Relationship Management are vulnerable to CVE-2018-2380?