CVE-2018-2367: Path Traversal
First published: Thu Mar 01 2018(Updated: )
ABAP File Interface in, SAP BASIS, from 7.00 to 7.02, from 7.10 to 7.11, 7.30, 7.31, 7.40, from 7.50 to 7.52, allows an attacker to exploit insufficient validation of path information provided by users, thus characters representing "traverse to parent directory" are passed through to the file APIs.
Credit: cna@sap.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Sap Business Application Software Integrated Solution | >=7.00<=7.02 | |
| Sap Business Application Software Integrated Solution | >=7.10<=7.11 | |
| Sap Business Application Software Integrated Solution | >=7.50<=7.52 | |
| Sap Business Application Software Integrated Solution | =7.30 | |
| Sap Business Application Software Integrated Solution | =7.31 | |
| Sap Business Application Software Integrated Solution | =7.40 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2018-2367?
The severity of CVE-2018-2367 is high with a severity value of 8.8.
Which versions of SAP BASIS are affected by CVE-2018-2367?
CVE-2018-2367 affects SAP BASIS versions 7.00 to 7.02, 7.10 to 7.11, 7.30, 7.31, 7.40, and 7.50 to 7.52.
What is the vulnerability in SAP BASIS?
The vulnerability in SAP BASIS is caused by insufficient validation of path information provided by users, allowing an attacker to pass characters representing "traverse to parent directory" to the file APIs.
Are there any known exploits of CVE-2018-2367?
There are currently no known exploits of CVE-2018-2367.
How can I mitigate the vulnerability in SAP BASIS?
To mitigate the vulnerability in SAP BASIS, apply the security patches provided by SAP and follow their recommended best practices for securing the ABAP File Interface.
- collector/nvd-index
- agent/type
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/references
- agent/weakness
- agent/severity
- agent/author
- agent/tags
- agent/first-publish-date
- agent/description
- agent/softwarecombine
- agent/event
- vendor/sap
- canonical/sap business application software integrated solution
- version/sap business application software integrated solution/7.00
- version/sap business application software integrated solution/7.02
- version/sap business application software integrated solution/7.10
- version/sap business application software integrated solution/7.11
- version/sap business application software integrated solution/7.50
- version/sap business application software integrated solution/7.52
- version/sap business application software integrated solution/7.30
- version/sap business application software integrated solution/7.31
- version/sap business application software integrated solution/7.40