CVE-2016-2389

Name of the Vulnerable Software and Affected Versions SAP NetWeaver versions 7.4 SAP Manufacturing Integration and Intelligence (xMII) component version 15.0

Description The issue is related to a directory traversal vulnerability in the SAP Manufacturing Integration and Intelligence (xMII) component. This vulnerability allows a remote attacker to read arbitrary files by exploiting weaknesses in path name restrictions. The vulnerability can be exploited through the GetFileList function by using a .. (dot dot) in the Path parameter to the "/Catalog" endpoint.

Recommendations For SAP NetWeaver version 7.4 with the SAP Manufacturing Integration and Intelligence (xMII) component version 15.0, consider restricting access to the GetFileList function until a patch is available. As a temporary workaround, avoid using the Path parameter in the "/Catalog" endpoint to minimize the risk of exploitation.