CVE-2017-12637
Published: 07 August 2017
Summary
CVE-2017-12637 is a high-severity Path Traversal (CWE-22) vulnerability in Sap Netweaver Application Server Java. Its CVSS base score is 7.5 (High).
Operationally, ranked in the top 0.2% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
The vulnerability is a directory traversal flaw, identified as CVE-2017-12637 and assigned CWE-22, that affects the scheduler/ui/js/ffffffffbca41eb4/UIUtilJavaScriptJS component in SAP NetWeaver Application Server Java 7.5. It carries a CVSS 3.1 score of 7.5 reflecting network-accessible unauthenticated read access with high confidentiality impact.
Remote attackers can exploit the issue by supplying a .. sequence in the query string to retrieve arbitrary files from the server. The flaw was actively exploited in the wild during August 2017.
The issue is tracked under SAP Security Note 2486657 and appears in the CISA Known Exploited Vulnerabilities Catalog.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2017-4176
Vulnerability details
Directory traversal vulnerability in scheduler/ui/js/ffffffffbca41eb4/UIUtilJavaScriptJS in SAP NetWeaver Application Server Java 7.5 allows remote attackers to read arbitrary files via a .. (dot dot) in the query string, as exploited in the wild in August 2017, aka SAP Security Note…
more
2486657.
- CWE(s)
- KEV Date Added
- 19 March 2025
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires validation of all inputs (including query-string parameters) to reject path traversal sequences such as .. before they reach the vulnerable SAP UIUtilJavaScriptJS endpoint.
Enforces access-control policy on every file-system read, blocking the unauthenticated retrieval of arbitrary files that the traversal flaw would otherwise permit.
Implements information-flow rules that restrict which resources a remote, unauthenticated request may access, limiting the scope of any successful traversal.