{"containers": {"cna": {"affected": [{"product": "SAP CRM", "vendor": "SAP SE", "versions": [{"status": "affected", "version": "7.01"}, {"status": "affected", "version": "7.02"}, {"status": "affected", "version": "7.30"}, {"status": "affected", "version": "7.31"}, {"status": "affected", "version": "7.33"}, {"status": "affected", "version": "7.54"}]}], "datePublic": "2018-02-13T00:00:00.000Z", "descriptions": [{"lang": "en", "value": "SAP CRM, 7.01, 7.02,7.30, 7.31, 7.33, 7.54, allows an attacker to exploit insufficient validation of path information provided by users, thus characters representing \"traverse to parent directory\" are passed through to the file APIs."}], "problemTypes": [{"descriptions": [{"description": "Directory/Path Traversal", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2018-03-17T09:57:01.000Z", "orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "shortName": "sap"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://github.com/erpscanteam/CVE-2018-2380"}, {"name": "44292", "tags": ["exploit", "x_refsource_EXPLOIT-DB"], "url": "https://www.exploit-db.com/exploits/44292/"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://launchpad.support.sap.com/#/notes/2547431"}, {"name": "103001", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/103001"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://blogs.sap.com/2018/02/13/sap-security-patch-day-february-2018/"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cna@sap.com", "ID": "CVE-2018-2380", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "SAP CRM", "version": {"version_data": [{"version_affected": "=", "version_value": "7.01"}, {"version_affected": "=", "version_value": "7.02"}, {"version_affected": "=", "version_value": "7.30"}, {"version_affected": "=", "version_value": "7.31"}, {"version_affected": "=", "version_value": "7.33"}, {"version_affected": "=", "version_value": "7.54"}]}}]}, "vendor_name": "SAP SE"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "SAP CRM, 7.01, 7.02,7.30, 7.31, 7.33, 7.54, allows an attacker to exploit insufficient validation of path information provided by users, thus characters representing \"traverse to parent directory\" are passed through to the file APIs."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Directory/Path Traversal"}]}]}, "references": {"reference_data": [{"name": "https://github.com/erpscanteam/CVE-2018-2380", "refsource": "MISC", "url": "https://github.com/erpscanteam/CVE-2018-2380"}, {"name": "44292", "refsource": "EXPLOIT-DB", "url": "https://www.exploit-db.com/exploits/44292/"}, {"name": "https://launchpad.support.sap.com/#/notes/2547431", "refsource": "CONFIRM", "url": "https://launchpad.support.sap.com/#/notes/2547431"}, {"name": "103001", "refsource": "BID", "url": "http://www.securityfocus.com/bid/103001"}, {"name": "https://blogs.sap.com/2018/02/13/sap-security-patch-day-february-2018/", "refsource": "CONFIRM", "url": "https://blogs.sap.com/2018/02/13/sap-security-patch-day-february-2018/"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T04:14:39.708Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/erpscanteam/CVE-2018-2380"}, {"name": "44292", "tags": ["exploit", "x_refsource_EXPLOIT-DB", "x_transferred"], "url": "https://www.exploit-db.com/exploits/44292/"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://launchpad.support.sap.com/#/notes/2547431"}, {"name": "103001", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/103001"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://blogs.sap.com/2018/02/13/sap-security-patch-day-february-2018/"}]}, {"metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.6, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "HIGH", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2018-2380", "role": "CISA Coordinator", "options": [{"Exploitation": "active"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-01-29T20:12:55.158230Z"}}}, {"other": {"type": "kev", "content": {"dateAdded": "2021-11-03", "reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2018-2380"}}}], "references": [{"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2018-2380", "tags": ["government-resource"]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}], "timeline": [{"time": "2021-11-03T00:00:00+00:00", "lang": "en", "value": "CVE-2018-2380 added to CISA KEV"}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-21T23:45:56.073Z"}}]}, "cveMetadata": {"assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "assignerShortName": "sap", "cveId": "CVE-2018-2380", "datePublished": "2018-03-01T17:00:00.000Z", "dateReserved": "2017-12-15T00:00:00.000Z", "dateUpdated": "2025-10-21T23:45:56.073Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/erpscanteam/CVE-2018-2380", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://www.exploit-db.com/exploits/44292/", "name": "44292", "tags": ["exploit", "x_refsource_EXPLOIT-DB", "x_transferred"]}, {"url": "https://launchpad.support.sap.com/#/notes/2547431", "tags": ["x_refsource_CONFIRM", "x_transferred"]}, {"url": "http://www.securityfocus.com/bid/103001", "name": "103001", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"]}, {"url": "https://blogs.sap.com/2018/02/13/sap-security-patch-day-february-2018/", "tags": ["x_refsource_CONFIRM", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T04:14:39.708Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.6, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "HIGH", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2018-2380", "role": "CISA Coordinator", "options": [{"Exploitation": "active"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-01-29T20:12:55.158230Z"}}}, {"other": {"type": "kev", "content": {"dateAdded": "2021-11-03", "reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2018-2380"}}}], "timeline": [{"lang": "en", "time": "2021-11-03T00:00:00+00:00", "value": "CVE-2018-2380 added to CISA KEV"}], "references": [{"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2018-2380", "tags": ["government-resource"]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-01-29T20:12:57.452Z"}}], "cna": {"affected": [{"vendor": "SAP SE", "product": "SAP CRM", "versions": [{"status": "affected", "version": "7.01"}, {"status": "affected", "version": "7.02"}, {"status": "affected", "version": "7.30"}, {"status": "affected", "version": "7.31"}, {"status": "affected", "version": "7.33"}, {"status": "affected", "version": "7.54"}]}], "datePublic": "2018-02-13T00:00:00.000Z", "references": [{"url": "https://github.com/erpscanteam/CVE-2018-2380", "tags": ["x_refsource_MISC"]}, {"url": "https://www.exploit-db.com/exploits/44292/", "name": "44292", "tags": ["exploit", "x_refsource_EXPLOIT-DB"]}, {"url": "https://launchpad.support.sap.com/#/notes/2547431", "tags": ["x_refsource_CONFIRM"]}, {"url": "http://www.securityfocus.com/bid/103001", "name": "103001", "tags": ["vdb-entry", "x_refsource_BID"]}, {"url": "https://blogs.sap.com/2018/02/13/sap-security-patch-day-february-2018/", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "SAP CRM, 7.01, 7.02,7.30, 7.31, 7.33, 7.54, allows an attacker to exploit insufficient validation of path information provided by users, thus characters representing \"traverse to parent directory\" are passed through to the file APIs."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "Directory/Path Traversal"}]}], "providerMetadata": {"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "shortName": "sap", "dateUpdated": "2018-03-17T09:57:01.000Z"}, "x_legacyV4Record": {"affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"version": {"version_data": [{"version_value": "7.01", "version_affected": "="}, {"version_value": "7.02", "version_affected": "="}, {"version_value": "7.30", "version_affected": "="}, {"version_value": "7.31", "version_affected": "="}, {"version_value": "7.33", "version_affected": "="}, {"version_value": "7.54", "version_affected": "="}]}, "product_name": "SAP CRM"}]}, "vendor_name": "SAP SE"}]}}, "data_type": "CVE", "references": {"reference_data": [{"url": "https://github.com/erpscanteam/CVE-2018-2380", "name": "https://github.com/erpscanteam/CVE-2018-2380", "refsource": "MISC"}, {"url": "https://www.exploit-db.com/exploits/44292/", "name": "44292", "refsource": "EXPLOIT-DB"}, {"url": "https://launchpad.support.sap.com/#/notes/2547431", "name": "https://launchpad.support.sap.com/#/notes/2547431", "refsource": "CONFIRM"}, {"url": "http://www.securityfocus.com/bid/103001", "name": "103001", "refsource": "BID"}, {"url": "https://blogs.sap.com/2018/02/13/sap-security-patch-day-february-2018/", "name": "https://blogs.sap.com/2018/02/13/sap-security-patch-day-february-2018/", "refsource": "CONFIRM"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "eng", "value": "SAP CRM, 7.01, 7.02,7.30, 7.31, 7.33, 7.54, allows an attacker to exploit insufficient validation of path information provided by users, thus characters representing \"traverse to parent directory\" are passed through to the file APIs."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Directory/Path Traversal"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2018-2380", "STATE": "PUBLIC", "ASSIGNER": "cna@sap.com"}}}}, "cveMetadata": {"cveId": "CVE-2018-2380", "state": "PUBLISHED", "dateUpdated": "2025-10-21T23:45:56.073Z", "dateReserved": "2017-12-15T00:00:00.000Z", "assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "datePublished": "2018-03-01T17:00:00.000Z", "assignerShortName": "sap"}, "dataVersion": "5.1"}

{"cisaActionDue": "2022-05-03", "cisaExploitAdd": "2021-11-03", "cisaRequiredAction": "Apply updates per vendor instructions.", "cisaVulnerabilityName": "SAP Customer Relationship Management (CRM) Path Traversal Vulnerability", "configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:sap:customer_relationship_management:7.01:*:*:*:*:*:*:*", "matchCriteriaId": "136E88EF-877A-4881-B098-3472E02FC45A", "vulnerable": true}, {"criteria": "cpe:2.3:a:sap:customer_relationship_management:7.02:*:*:*:*:*:*:*", "matchCriteriaId": "3029F4DC-63CD-49C6-A98E-5A5B01E104FA", "vulnerable": true}, {"criteria": "cpe:2.3:a:sap:customer_relationship_management:7.30:*:*:*:*:*:*:*", "matchCriteriaId": "51E097C6-61E3-4D8A-ABEC-A32BA68E3D87", "vulnerable": true}, {"criteria": "cpe:2.3:a:sap:customer_relationship_management:7.31:*:*:*:*:*:*:*", "matchCriteriaId": "4258AAE6-ABD0-47C1-B794-E68D3A57EEE0", "vulnerable": true}, {"criteria": "cpe:2.3:a:sap:customer_relationship_management:7.33:*:*:*:*:*:*:*", "matchCriteriaId": "4392BD0F-A286-4AEA-89E5-D151034C9055", "vulnerable": true}, {"criteria": "cpe:2.3:a:sap:customer_relationship_management:7.54:*:*:*:*:*:*:*", "matchCriteriaId": "CFD82446-BD1D-40E7-A216-2239B7D07691", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "SAP CRM, 7.01, 7.02,7.30, 7.31, 7.33, 7.54, allows an attacker to exploit insufficient validation of path information provided by users, thus characters representing \"traverse to parent directory\" are passed through to the file APIs."}, {"lang": "es", "value": "SAP CRM 7.01, 7.02, 7.30, 7.31, 7.33 y 7.54 permite que un atacante explote la validaci\u00f3n insuficiente de la informaci\u00f3n de ruta proporcionada por los usuarios, por lo que los caracteres que representan \"salto al directorio padre\" se pasan a las API de archivo."}], "id": "CVE-2018-2380", "lastModified": "2025-10-31T22:05:53.403", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 6.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 3.7, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 3.7, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2018-03-01T17:29:00.413", "references": [{"source": "cna@sap.com", "tags": ["Third Party Advisory", "VDB Entry", "Broken Link"], "url": "http://www.securityfocus.com/bid/103001"}, {"source": "cna@sap.com", "tags": ["Vendor Advisory"], "url": "https://blogs.sap.com/2018/02/13/sap-security-patch-day-february-2018/"}, {"source": "cna@sap.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/erpscanteam/CVE-2018-2380"}, {"source": "cna@sap.com", "tags": ["Permissions Required"], "url": "https://launchpad.support.sap.com/#/notes/2547431"}, {"source": "cna@sap.com", "tags": ["Exploit", "Third Party Advisory", "VDB Entry"], "url": "https://www.exploit-db.com/exploits/44292/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory", "VDB Entry", "Broken Link"], "url": "http://www.securityfocus.com/bid/103001"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://blogs.sap.com/2018/02/13/sap-security-patch-day-february-2018/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/erpscanteam/CVE-2018-2380"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Permissions Required"], "url": "https://launchpad.support.sap.com/#/notes/2547431"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory", "VDB Entry"], "url": "https://www.exploit-db.com/exploits/44292/"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["US Government Resource"], "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2018-2380"}], "sourceIdentifier": "cna@sap.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-22"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{}