SAP Netweaver ABAP – EPS_OPEN_INPUT_FILE path traversal

Impact On Business

An attacker with high level privileges can use a remote enabled function to read a file which is otherwise restricted. On successful exploitation an attacker can completely compromise the confidentiality of the application.

Affected Components Description

SAP NetWeaver Application Server for ABAP provides both the runtime environment and the development environment for all ABAP programs.

Vulnerability Details

A path traversal exists in the function module EPS_OPEN_INPUT_FILE. A verification is done on FILE_NAME import variable, but not on DIR_NAME import variable.

It is possible to bypass the check_trans_read_authority and the check_ftp_authority by prefixing the DIR_NAME by a specific value to trick the program that requests come from SAP Transport API.

Solution

SAP has released SAP Note 3256571 which provides patched versions of the affected components.

The patches can be downloaded from https://launchpad.support.sap.com/#/notes/3256571.

Onapsis strongly recommends SAP customers to download the related security fixes and apply them to the affected components in order to reduce business risks.

Report Timeline

08/02/2022: Onapsis sends details to SAP
11/08/2022: SAP releases SAP Note fixing the issue.

References

Onapsis blogpost: https://onapsis.com/blog/sap-patch-day-november-2022
CVE Mitre: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41212
Vendor Patch: https://launchpad.support.sap.com/#/notes/3256571

Back to Advisories

Advisory Information

Public Release Date: 07/18/25
Security Advisory ID: ONAPSIS-2024-0013
Researcher(s): Yvan Genuer

Vulnerability Information

Vendor: SAP
Affected Components:
- SAP NetWeaver Application Server ABAP and ABAP Platform
- SAP_BASIS 700 Patch 41 and lower
- SAP_BASIS 701 Patch 25 and lower
- SAP_BASIS 702 Patch 25 and lower
- SAP_BASIS 731 Patch 32 and lower
- SAP_BASIS 740 Patch 29 and lower
- SAP_BASIS 750 Patch 26 and lower
- SAP_BASIS 751 Patch 16 and lower
- SAP_BASIS 752 Patch 12 and lower
- SAP_BASIS 753 Patch 10 and lower
- SAP_BASIS 754 Patch 08 and lower
- SAP_BASIS 755 Patch 06 and lower
- SAP_BASIS 756 Patch 04 and lower
- SAP_BASIS 757 Patch 01 and lower
- SAP_BASIS 789 Patch 08 and lower
- SAP_BASIS 790 Patch 03 and lower
- SAP_BASIS 804 Patch 06 and lower
  (Check SAP Note 3256571 for detailed information on affected releases)
Vulnerability Class: CWE-548
CVSS v3 score: 4.9 AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Risk Level: Medium
Assigned CVE: CVE-2022-41212
Vendor patch Information: SAP Security NOTE 3256571

ABOUT OUR RESEARCH LABS

Onapsis Research Labs provides the industry analysis of key security issues that impact mission-critical systems and applications.

Delivering frequent and timely security and compliance advisories with associated risk levels, Onapsis Research Labs combine in-depth knowledge and experience to deliver technical and business-context with sound security judgment to the broader information security community.

Find all reported vulnerabilities at:
https://github.com/Onapsis/vulnerability_advisories

This advisory is licensed under a Creative Commons 4.0 BY-ND International License

Safeguarding Tomorrow: Empowering SAP Customers with Advanced Cyber Risk Management

Securing SAP Business Technology Platform (BTP)

The Book on Cybersecurity for SAP

Critical SAP Zero-Day Vulnerability Under Active Exploitation (CVE-2025-31324)

Your S/4HANA Cloud Journey