cve-2018-2380
Vulnerability from cvelistv5
Published
2018-03-01 17:00
Modified
2024-08-05 04:14
Severity ?
EPSS score ?
Summary
SAP CRM, 7.01, 7.02,7.30, 7.31, 7.33, 7.54, allows an attacker to exploit insufficient validation of path information provided by users, thus characters representing "traverse to parent directory" are passed through to the file APIs.
References
Impacted products
CISA Known exploited vulnerability
Data from the Known Exploited Vulnerabilities Catalog
Date added: 2021-11-03
Due date: 2022-05-03
Required action: Apply updates per vendor instructions.
Used in ransomware: Known
Notes: https://nvd.nist.gov/vuln/detail/CVE-2018-2380
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T04:14:39.708Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/erpscanteam/CVE-2018-2380"
},
{
"name": "44292",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB",
"x_transferred"
],
"url": "https://www.exploit-db.com/exploits/44292/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://launchpad.support.sap.com/#/notes/2547431"
},
{
"name": "103001",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/103001"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://blogs.sap.com/2018/02/13/sap-security-patch-day-february-2018/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "SAP CRM",
"vendor": "SAP SE",
"versions": [
{
"status": "affected",
"version": "7.01"
},
{
"status": "affected",
"version": "7.02"
},
{
"status": "affected",
"version": "7.30"
},
{
"status": "affected",
"version": "7.31"
},
{
"status": "affected",
"version": "7.33"
},
{
"status": "affected",
"version": "7.54"
}
]
}
],
"datePublic": "2018-02-13T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "SAP CRM, 7.01, 7.02,7.30, 7.31, 7.33, 7.54, allows an attacker to exploit insufficient validation of path information provided by users, thus characters representing \"traverse to parent directory\" are passed through to the file APIs."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Directory/Path Traversal",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-03-17T09:57:01",
"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"shortName": "sap"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/erpscanteam/CVE-2018-2380"
},
{
"name": "44292",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB"
],
"url": "https://www.exploit-db.com/exploits/44292/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://launchpad.support.sap.com/#/notes/2547431"
},
{
"name": "103001",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/103001"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://blogs.sap.com/2018/02/13/sap-security-patch-day-february-2018/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cna@sap.com",
"ID": "CVE-2018-2380",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "SAP CRM",
"version": {
"version_data": [
{
"version_affected": "=",
"version_value": "7.01"
},
{
"version_affected": "=",
"version_value": "7.02"
},
{
"version_affected": "=",
"version_value": "7.30"
},
{
"version_affected": "=",
"version_value": "7.31"
},
{
"version_affected": "=",
"version_value": "7.33"
},
{
"version_affected": "=",
"version_value": "7.54"
}
]
}
}
]
},
"vendor_name": "SAP SE"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SAP CRM, 7.01, 7.02,7.30, 7.31, 7.33, 7.54, allows an attacker to exploit insufficient validation of path information provided by users, thus characters representing \"traverse to parent directory\" are passed through to the file APIs."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Directory/Path Traversal"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/erpscanteam/CVE-2018-2380",
"refsource": "MISC",
"url": "https://github.com/erpscanteam/CVE-2018-2380"
},
{
"name": "44292",
"refsource": "EXPLOIT-DB",
"url": "https://www.exploit-db.com/exploits/44292/"
},
{
"name": "https://launchpad.support.sap.com/#/notes/2547431",
"refsource": "CONFIRM",
"url": "https://launchpad.support.sap.com/#/notes/2547431"
},
{
"name": "103001",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/103001"
},
{
"name": "https://blogs.sap.com/2018/02/13/sap-security-patch-day-february-2018/",
"refsource": "CONFIRM",
"url": "https://blogs.sap.com/2018/02/13/sap-security-patch-day-february-2018/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"assignerShortName": "sap",
"cveId": "CVE-2018-2380",
"datePublished": "2018-03-01T17:00:00",
"dateReserved": "2017-12-15T00:00:00",
"dateUpdated": "2024-08-05T04:14:39.708Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"cisa_known_exploited": {
"cveID": "CVE-2018-2380",
"cwes": "[\"CWE-22\"]",
"dateAdded": "2021-11-03",
"dueDate": "2022-05-03",
"knownRansomwareCampaignUse": "Known",
"notes": "https://nvd.nist.gov/vuln/detail/CVE-2018-2380",
"product": "Customer Relationship Management (CRM)",
"requiredAction": "Apply updates per vendor instructions.",
"shortDescription": "SAP Customer Relationship Management (CRM) contains a path traversal vulnerability that allows an attacker to exploit insufficient validation of path information provided by users.",
"vendorProject": "SAP",
"vulnerabilityName": "SAP Customer Relationship Management (CRM) Path Traversal Vulnerability"
},
"fkie_nvd": {
"cisaActionDue": "2022-05-03",
"cisaExploitAdd": "2021-11-03",
"cisaRequiredAction": "Apply updates per vendor instructions.",
"cisaVulnerabilityName": "SAP Customer Relationship Management (CRM) Path Traversal Vulnerability",
"configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:sap:customer_relationship_management:7.01:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"136E88EF-877A-4881-B098-3472E02FC45A\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:sap:customer_relationship_management:7.02:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"3029F4DC-63CD-49C6-A98E-5A5B01E104FA\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:sap:customer_relationship_management:7.30:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"51E097C6-61E3-4D8A-ABEC-A32BA68E3D87\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:sap:customer_relationship_management:7.31:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"4258AAE6-ABD0-47C1-B794-E68D3A57EEE0\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:sap:customer_relationship_management:7.33:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"4392BD0F-A286-4AEA-89E5-D151034C9055\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:sap:customer_relationship_management:7.54:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"CFD82446-BD1D-40E7-A216-2239B7D07691\"}]}]}]",
"descriptions": "[{\"lang\": \"en\", \"value\": \"SAP CRM, 7.01, 7.02,7.30, 7.31, 7.33, 7.54, allows an attacker to exploit insufficient validation of path information provided by users, thus characters representing \\\"traverse to parent directory\\\" are passed through to the file APIs.\"}, {\"lang\": \"es\", \"value\": \"SAP CRM 7.01, 7.02, 7.30, 7.31, 7.33 y 7.54 permite que un atacante explote la validaci\\u00f3n insuficiente de la informaci\\u00f3n de ruta proporcionada por los usuarios, por lo que los caracteres que representan \\\"salto al directorio padre\\\" se pasan a las API de archivo.\"}]",
"id": "CVE-2018-2380",
"lastModified": "2024-11-21T04:03:42.830",
"metrics": "{\"cvssMetricV30\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.0\", \"vectorString\": \"CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L\", \"baseScore\": 6.6, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"HIGH\", \"userInteraction\": \"NONE\", \"scope\": \"CHANGED\", \"confidentialityImpact\": \"LOW\", \"integrityImpact\": \"LOW\", \"availabilityImpact\": \"LOW\"}, \"exploitabilityScore\": 2.3, \"impactScore\": 3.7}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:L/Au:S/C:P/I:P/A:P\", \"baseScore\": 6.5, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"LOW\", \"authentication\": \"SINGLE\", \"confidentialityImpact\": \"PARTIAL\", \"integrityImpact\": \"PARTIAL\", \"availabilityImpact\": \"PARTIAL\"}, \"baseSeverity\": \"MEDIUM\", \"exploitabilityScore\": 8.0, \"impactScore\": 6.4, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": false}]}",
"published": "2018-03-01T17:29:00.413",
"references": "[{\"url\": \"http://www.securityfocus.com/bid/103001\", \"source\": \"cna@sap.com\", \"tags\": [\"Third Party Advisory\", \"VDB Entry\"]}, {\"url\": \"https://blogs.sap.com/2018/02/13/sap-security-patch-day-february-2018/\", \"source\": \"cna@sap.com\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"https://github.com/erpscanteam/CVE-2018-2380\", \"source\": \"cna@sap.com\", \"tags\": [\"Exploit\", \"Third Party Advisory\"]}, {\"url\": \"https://launchpad.support.sap.com/#/notes/2547431\", \"source\": \"cna@sap.com\", \"tags\": [\"Permissions Required\"]}, {\"url\": \"https://www.exploit-db.com/exploits/44292/\", \"source\": \"cna@sap.com\", \"tags\": [\"Exploit\", \"Third Party Advisory\", \"VDB Entry\"]}, {\"url\": \"http://www.securityfocus.com/bid/103001\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\", \"VDB Entry\"]}, {\"url\": \"https://blogs.sap.com/2018/02/13/sap-security-patch-day-february-2018/\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"https://github.com/erpscanteam/CVE-2018-2380\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Exploit\", \"Third Party Advisory\"]}, {\"url\": \"https://launchpad.support.sap.com/#/notes/2547431\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Permissions Required\"]}, {\"url\": \"https://www.exploit-db.com/exploits/44292/\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Exploit\", \"Third Party Advisory\", \"VDB Entry\"]}]",
"sourceIdentifier": "cna@sap.com",
"vulnStatus": "Modified",
"weaknesses": "[{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-22\"}]}]"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2018-2380\",\"sourceIdentifier\":\"cna@sap.com\",\"published\":\"2018-03-01T17:29:00.413\",\"lastModified\":\"2024-11-21T04:03:42.830\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"SAP CRM, 7.01, 7.02,7.30, 7.31, 7.33, 7.54, allows an attacker to exploit insufficient validation of path information provided by users, thus characters representing \\\"traverse to parent directory\\\" are passed through to the file APIs.\"},{\"lang\":\"es\",\"value\":\"SAP CRM 7.01, 7.02, 7.30, 7.31, 7.33 y 7.54 permite que un atacante explote la validaci\u00f3n insuficiente de la informaci\u00f3n de ruta proporcionada por los usuarios, por lo que los caracteres que representan \\\"salto al directorio padre\\\" se pasan a las API de archivo.\"}],\"metrics\":{\"cvssMetricV30\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.0\",\"vectorString\":\"CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L\",\"baseScore\":6.6,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":2.3,\"impactScore\":3.7}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:S/C:P/I:P/A:P\",\"baseScore\":6.5,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"SINGLE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"PARTIAL\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":8.0,\"impactScore\":6.4,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"cisaExploitAdd\":\"2021-11-03\",\"cisaActionDue\":\"2022-05-03\",\"cisaRequiredAction\":\"Apply updates per vendor instructions.\",\"cisaVulnerabilityName\":\"SAP Customer Relationship Management (CRM) Path Traversal Vulnerability\",\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-22\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sap:customer_relationship_management:7.01:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"136E88EF-877A-4881-B098-3472E02FC45A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sap:customer_relationship_management:7.02:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"3029F4DC-63CD-49C6-A98E-5A5B01E104FA\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sap:customer_relationship_management:7.30:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"51E097C6-61E3-4D8A-ABEC-A32BA68E3D87\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sap:customer_relationship_management:7.31:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"4258AAE6-ABD0-47C1-B794-E68D3A57EEE0\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sap:customer_relationship_management:7.33:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"4392BD0F-A286-4AEA-89E5-D151034C9055\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sap:customer_relationship_management:7.54:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"CFD82446-BD1D-40E7-A216-2239B7D07691\"}]}]}],\"references\":[{\"url\":\"http://www.securityfocus.com/bid/103001\",\"source\":\"cna@sap.com\",\"tags\":[\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"https://blogs.sap.com/2018/02/13/sap-security-patch-day-february-2018/\",\"source\":\"cna@sap.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://github.com/erpscanteam/CVE-2018-2380\",\"source\":\"cna@sap.com\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]},{\"url\":\"https://launchpad.support.sap.com/#/notes/2547431\",\"source\":\"cna@sap.com\",\"tags\":[\"Permissions Required\"]},{\"url\":\"https://www.exploit-db.com/exploits/44292/\",\"source\":\"cna@sap.com\",\"tags\":[\"Exploit\",\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"http://www.securityfocus.com/bid/103001\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"https://blogs.sap.com/2018/02/13/sap-security-patch-day-february-2018/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://github.com/erpscanteam/CVE-2018-2380\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]},{\"url\":\"https://launchpad.support.sap.com/#/notes/2547431\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Permissions Required\"]},{\"url\":\"https://www.exploit-db.com/exploits/44292/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Third Party Advisory\",\"VDB Entry\"]}]}}"
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.