CVE-2018-2380
Published: 01 March 2018
Summary
CVE-2018-2380 is a medium-severity Path Traversal (CWE-22) vulnerability in Sap Customer Relationship Management. Its CVSS base score is 6.6 (Medium).
Operationally, ranked in the top 2.2% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
SAP CRM versions 7.01, 7.02, 7.30, 7.31, 7.33, and 7.54 contain a path traversal vulnerability resulting from insufficient validation of user-supplied path information. Directory traversal sequences are passed directly to underlying file APIs, enabling access outside intended directories. The issue is tracked as CWE-22 with a CVSS 3.1 base score of 6.6.
An attacker with high privileges can send crafted requests over the network to read, modify, or affect files accessible to the application. The vulnerability has changed scope, allowing limited impact to confidentiality, integrity, and availability of resources beyond the vulnerable component itself.
SAP security notes and the February 2018 patch day announcement direct customers to apply corrections referenced in SAP Note 2547431. Public proof-of-concept code has been published on Exploit-DB and GitHub demonstrating the traversal technique against the affected CRM components.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2018-14235
Vulnerability details
SAP CRM, 7.01, 7.02,7.30, 7.31, 7.33, 7.54, allows an attacker to exploit insufficient validation of path information provided by users, thus characters representing "traverse to parent directory" are passed through to the file APIs.
- CWE(s)
- KEV Date Added
- 03 November 2021
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of user-supplied path data to reject traversal sequences before they reach file APIs.
Enforces access-control decisions on file resources so that traversal attempts outside authorized directories are blocked.
Limits the high privileges required by the CVE, reducing the set of files an authenticated attacker can reach via traversal.