3628250 - Path Traversal vulnerability in SAP NetWeaver AS Java Web Container

Symptom

A path traversal vulnerability has been identified in SAP NetWeaver WebDynpro Java due to improper path normalization when processing requests containing the encoded sequence. This issue occurs when a reverse proxy (such as SAP Web Dispatcher) forwards requests without properly normalizing the path before sending them to the backend
As a result, SAP NetWeaver AS Java misinterprets the URL and allows access to files outside the intended application directory
It is observed that endpoint https://hostname/webdynpro/dispatcher/sap.com/..%3ba/METAINF/MANIFEST.MF is vulnerable to path traversal. This vulnerability affects the
SAP NetWeaver Application Server 7.53 / AS Java 7.50 running on the server. The issue occurs due to improper input validation where the application does not properly sanitize or validate path inputs, allowing an attacker to use encoded path traversal sequences to access files outside the intended directory structure.

Environment

SAP NetWeaver Application Server Java

Product

SAP NetWeaver Application Server for Java all versions

Keywords

Path Traversal, META-INF, com.sap.engine.docs.examples, buildinfo.xml. , KBA , BC-JAS-WEB , Web Container, HTTP, JavaMail, Servlets , Problem

About this page

This is a preview of a SAP Knowledge Base Article. Click more to access the full version on SAP for Me (Login required).

Search for additional results

Visit SAP Support Portal's SAP Notes and KBA Search.