Back to KEVs

CVE-2017-12637

Directory traversal vulnerability in scheduler/ui/js/ffffffffbca41eb4/UIUtilJavaScriptJS in SAP NetWeaver Application Server Java 7.5 allows remote...

Basic Information

CVE State: PUBLISHED
Reserved Date: August 07, 2017
Published Date: August 07, 2017
Last Updated: March 27, 2025
Vendor: SAP
Product: NetWeaver Application Server Java
Description: Directory traversal vulnerability in scheduler/ui/js/ffffffffbca41eb4/UIUtilJavaScriptJS in SAP NetWeaver Application Server Java 7.5 allows remote attackers to read arbitrary files via a .. (dot dot) in the query string, as exploited in the wild in August 2017, aka SAP Security Note 2486657.
Tags

CVSS Scores

CVSS v3.1

7.5 - HIGH

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVSS v2.0

5.0

Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N

SSVC Information

Exploitation: active
Automatable: Yes
Technical Impact: partial

Exploit Status

Exploited in the Wild: Yes (2025-03-19 00:00:00 UTC) Source

References

https://web.archive.org/web/20170807202056/http://www.sh0w.top/index.php/archives/7/

Known Exploited Vulnerability Information

Source	Added Date
CISA	2025-03-19 00:00:00 UTC

Scanner Integrations

Scanner	URL	Date Detected
Nuclei	https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2017/CVE-2017-12637.yaml	2025-04-26 00:00:00 UTC

Timeline

CVE ID Reserved

August 07, 2017
CVE Published to Public

August 07, 2017
Added to KEVIntel

March 19, 2025
Detected by Nuclei

April 26, 2025