nuclei-templates/http/cves/2018/CVE-2018-2380.yaml at 6ba9ebc5da07696b6152a22758dbf5de387b31fb · projectdiscovery/nuclei-templates · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
id: CVE-2018-2380

info:
  name: SAP CRM - Path Traversal to Code Execution
  author: ElromEvedElElyon
  severity: medium
  description: |
    SAP CRM versions 7.01, 7.02, 7.30, 7.31, 7.33, and 7.54 contain a path traversal vulnerability due to insufficient validation of path information provided by users. An authenticated attacker can traverse directories and access or upload arbitrary files, which can be chained to achieve remote code execution on the SAP application server.
  impact: |
    An authenticated attacker can read sensitive files from the server and potentially achieve code execution, leading to compromise of the SAP CRM system and access to business-critical customer data.
  remediation: |
    Apply SAP Security Note 2547431. Restrict access to the affected CRM endpoints.
  reference:
    - https://nvd.nist.gov/vuln/detail/CVE-2018-2380
    - https://launchpad.support.sap.com/#/notes/2547431
    - https://www.cisa.gov/known-exploited-vulnerabilities-catalog
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L
    cvss-score: 6.6
    cve-id: CVE-2018-2380
    cwe-id: CWE-22
    cpe: cpe:2.3:a:sap:customer_relationship_management:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 1
    vendor: sap
    product: customer_relationship_management
    shodan-query: http.html:"SAP" http.html:"CRM"
  tags: cve,cve2018,sap,crm,path-traversal,kev,vkev,vuln

http:
  - method: GET
    path:
      - "{{BaseURL}}/sap/public/info"

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "<COMPONENT>"
          - "SAP_ABA"
        condition: and

      - type: dsl
        dsl:
          - 'compare_versions(version, ">= 7.0") && compare_versions(version, "<= 7.54")'

      - type: status
        status:
          - 200

    extractors:
      - type: regex
        name: version
        part: body
        group: 1
        internal: true
        regex:
          - '<RELEASE>(\d+\.\d+)</RELEASE>'
          - '<RELEASE>(\d+)</RELEASE>'
      - type: regex
        name: sap-component
        part: body
        group: 0
        regex:
          - '<COMPONENT>[^<]*CRM[^<]*</COMPONENT>'