CVE-2017-12637

high

Description

Directory traversal vulnerability in scheduler/ui/js/ffffffffbca41eb4/UIUtilJavaScriptJS in SAP NetWeaver Application Server Java 7.5 allows remote attackers to read arbitrary files via a .. (dot dot) in the query string, as exploited in the wild in August 2017, aka SAP Security Note 2486657.

References

Advisories
Exploits

https://web.archive.org/web/20170807202056/http://www.sh0w.top/index.php/archives/7/

https://thehackernews.com/2025/04/sap-confirms-critical-netweaver-flaw.html

https://www.securityweek.com/cisa-warns-of-exploited-nakivo-vulnerability/

https://thehackernews.com/2025/03/cisa-adds-nakivo-vulnerability-to-kev.html

https://securityaffairs.com/175663/security/u-s-cisa-adds-edimax-ic-7100-ip-camera-nakivo-and-sap-netweaver-as-java-flaws-to-its-known-exploited-vulnerabilities-catalog.html

https://www.cisa.gov/news-events/alerts/2025/03/19/cisa-adds-three-known-exploited-vulnerabilities-catalog

Details

Source: Mitre, NVD

Published: 2017-08-07

Updated: 2025-04-20

Known Exploited Vulnerability (KEV)

Risk Information

CVSS v2

Base Score: 5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

Severity: Medium

CVSS v3

Base Score: 7.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Severity: High

EPSS

EPSS: 0.9191