CVE-2016-3976 - Vulnerability Details - OpenCVE

Directory traversal vulnerability in SAP NetWeaver AS Java 7.1 through 7.5 allows remote attackers to read arbitrary files via a ..\ (dot dot backslash) in the fileName parameter to CrashFileDownloadServlet, aka SAP Security Note 2234971.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

This CVE is in the KEV database since Nov. 3, 2021.

Exploitation active

Automatable yes

Technical Impact partial

Vendors	Products
Sap	Netweaver Application Server Java

Configuration 1 [-]

cpe:2.3:a:sap:netweaver_application_server_java:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
http://packetstormsecurity.com/files/137528/SAP-NetWeaver-AS-JAVA-7.5-Directory-Traversal.html
http://seclists.org/fulldisclosure/2016/Jun/40
https://erpscan.io/advisories/erpscan-16-012/
https://erpscan.io/press-center/blog/sap-security-notes-march-2016-review/
https://launchpad.support.sap.com/#/notes/2234971
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2016-3976
https://www.exploit-db.com/exploits/39996/

History

Wed, 22 Oct 2025 00:30:00 +0000

Type	Values Removed	Values Added
References		https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2016-3976

Tue, 21 Oct 2025 20:30:00 +0000

Type	Values Removed	Values Added
References	https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2016-3976

Tue, 21 Oct 2025 19:30:00 +0000

Type	Values Removed	Values Added
References		https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2016-3976

Tue, 04 Feb 2025 21:15:00 +0000

Type	Values Removed	Values Added
Metrics		kev `{'dateAdded': '2021-11-03'}` ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'active', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2016-04-07T23:00:00.000Z

Updated: 2025-10-21T23:55:54.035Z

Reserved: 2016-04-07T00:00:00.000Z

Link: CVE-2016-3976

Vulnrichment

Updated: 2024-08-06T00:10:31.979Z

NVD

Status : Deferred

Published: 2016-04-07T23:59:10.797

Modified: 2025-10-22T00:15:52.260

Link: CVE-2016-3976

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2016-03-08T00:00:00.000Z", "descriptions": [{"lang": "en", "value": "Directory traversal vulnerability in SAP NetWeaver AS Java 7.1 through 7.5 allows remote attackers to read arbitrary files via a ..\\ (dot dot backslash) in the fileName parameter to CrashFileDownloadServlet, aka SAP Security Note 2234971."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2021-11-10T14:42:21.000Z", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://erpscan.io/press-center/blog/sap-security-notes-march-2016-review/"}, {"name": "20160618 [ERPSCAN-16-012] SAP NetWeaver AS JAVA - directory traversal vulnerability", "tags": ["mailing-list", "x_refsource_FULLDISC"], "url": "http://seclists.org/fulldisclosure/2016/Jun/40"}, {"tags": ["x_refsource_MISC"], "url": "http://packetstormsecurity.com/files/137528/SAP-NetWeaver-AS-JAVA-7.5-Directory-Traversal.html"}, {"tags": ["x_refsource_MISC"], "url": "https://erpscan.io/advisories/erpscan-16-012/"}, {"name": "39996", "tags": ["exploit", "x_refsource_EXPLOIT-DB"], "url": "https://www.exploit-db.com/exploits/39996/"}, {"tags": ["x_refsource_MISC"], "url": "https://launchpad.support.sap.com/#/notes/2234971"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2016-3976", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Directory traversal vulnerability in SAP NetWeaver AS Java 7.1 through 7.5 allows remote attackers to read arbitrary files via a ..\\ (dot dot backslash) in the fileName parameter to CrashFileDownloadServlet, aka SAP Security Note 2234971."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://erpscan.io/press-center/blog/sap-security-notes-march-2016-review/", "refsource": "MISC", "url": "https://erpscan.io/press-center/blog/sap-security-notes-march-2016-review/"}, {"name": "20160618 [ERPSCAN-16-012] SAP NetWeaver AS JAVA - directory traversal vulnerability", "refsource": "FULLDISC", "url": "http://seclists.org/fulldisclosure/2016/Jun/40"}, {"name": "http://packetstormsecurity.com/files/137528/SAP-NetWeaver-AS-JAVA-7.5-Directory-Traversal.html", "refsource": "MISC", "url": "http://packetstormsecurity.com/files/137528/SAP-NetWeaver-AS-JAVA-7.5-Directory-Traversal.html"}, {"name": "https://erpscan.io/advisories/erpscan-16-012/", "refsource": "MISC", "url": "https://erpscan.io/advisories/erpscan-16-012/"}, {"name": "39996", "refsource": "EXPLOIT-DB", "url": "https://www.exploit-db.com/exploits/39996/"}, {"name": "https://launchpad.support.sap.com/#/notes/2234971", "refsource": "MISC", "url": "https://launchpad.support.sap.com/#/notes/2234971"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T00:10:31.979Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://erpscan.io/press-center/blog/sap-security-notes-march-2016-review/"}, {"name": "20160618 [ERPSCAN-16-012] SAP NetWeaver AS JAVA - directory traversal vulnerability", "tags": ["mailing-list", "x_refsource_FULLDISC", "x_transferred"], "url": "http://seclists.org/fulldisclosure/2016/Jun/40"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://packetstormsecurity.com/files/137528/SAP-NetWeaver-AS-JAVA-7.5-Directory-Traversal.html"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://erpscan.io/advisories/erpscan-16-012/"}, {"name": "39996", "tags": ["exploit", "x_refsource_EXPLOIT-DB", "x_transferred"], "url": "https://www.exploit-db.com/exploits/39996/"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://launchpad.support.sap.com/#/notes/2234971"}]}, {"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2016-3976", "role": "CISA Coordinator", "options": [{"Exploitation": "active"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-02-04T20:58:34.261968Z"}}}, {"other": {"type": "kev", "content": {"dateAdded": "2021-11-03", "reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2016-3976"}}}], "references": [{"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2016-3976", "tags": ["government-resource"]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}], "timeline": [{"time": "2021-11-03T00:00:00+00:00", "lang": "en", "value": "CVE-2016-3976 added to CISA KEV"}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-21T23:55:54.035Z"}}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2016-3976", "datePublished": "2016-04-07T23:00:00.000Z", "dateReserved": "2016-04-07T00:00:00.000Z", "dateUpdated": "2025-10-21T23:55:54.035Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://erpscan.io/press-center/blog/sap-security-notes-march-2016-review/", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "http://seclists.org/fulldisclosure/2016/Jun/40", "name": "20160618 [ERPSCAN-16-012] SAP NetWeaver AS JAVA - directory traversal vulnerability", "tags": ["mailing-list", "x_refsource_FULLDISC", "x_transferred"]}, {"url": "http://packetstormsecurity.com/files/137528/SAP-NetWeaver-AS-JAVA-7.5-Directory-Traversal.html", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://erpscan.io/advisories/erpscan-16-012/", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://www.exploit-db.com/exploits/39996/", "name": "39996", "tags": ["exploit", "x_refsource_EXPLOIT-DB", "x_transferred"]}, {"url": "https://launchpad.support.sap.com/#/notes/2234971", "tags": ["x_refsource_MISC", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T00:10:31.979Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2016-3976", "role": "CISA Coordinator", "options": [{"Exploitation": "active"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-02-04T20:58:34.261968Z"}}}, {"other": {"type": "kev", "content": {"dateAdded": "2021-11-03", "reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?search_api_fulltext=CVE-2016-3976"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-02-04T20:58:41.379Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2016-03-08T00:00:00.000Z", "references": [{"url": "https://erpscan.io/press-center/blog/sap-security-notes-march-2016-review/", "tags": ["x_refsource_MISC"]}, {"url": "http://seclists.org/fulldisclosure/2016/Jun/40", "name": "20160618 [ERPSCAN-16-012] SAP NetWeaver AS JAVA - directory traversal vulnerability", "tags": ["mailing-list", "x_refsource_FULLDISC"]}, {"url": "http://packetstormsecurity.com/files/137528/SAP-NetWeaver-AS-JAVA-7.5-Directory-Traversal.html", "tags": ["x_refsource_MISC"]}, {"url": "https://erpscan.io/advisories/erpscan-16-012/", "tags": ["x_refsource_MISC"]}, {"url": "https://www.exploit-db.com/exploits/39996/", "name": "39996", "tags": ["exploit", "x_refsource_EXPLOIT-DB"]}, {"url": "https://launchpad.support.sap.com/#/notes/2234971", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Directory traversal vulnerability in SAP NetWeaver AS Java 7.1 through 7.5 allows remote attackers to read arbitrary files via a ..\\ (dot dot backslash) in the fileName parameter to CrashFileDownloadServlet, aka SAP Security Note 2234971."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2021-11-10T14:42:21.000Z"}, "x_legacyV4Record": {"affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"version": {"version_data": [{"version_value": "n/a"}]}, "product_name": "n/a"}]}, "vendor_name": "n/a"}]}}, "data_type": "CVE", "references": {"reference_data": [{"url": "https://erpscan.io/press-center/blog/sap-security-notes-march-2016-review/", "name": "https://erpscan.io/press-center/blog/sap-security-notes-march-2016-review/", "refsource": "MISC"}, {"url": "http://seclists.org/fulldisclosure/2016/Jun/40", "name": "20160618 [ERPSCAN-16-012] SAP NetWeaver AS JAVA - directory traversal vulnerability", "refsource": "FULLDISC"}, {"url": "http://packetstormsecurity.com/files/137528/SAP-NetWeaver-AS-JAVA-7.5-Directory-Traversal.html", "name": "http://packetstormsecurity.com/files/137528/SAP-NetWeaver-AS-JAVA-7.5-Directory-Traversal.html", "refsource": "MISC"}, {"url": "https://erpscan.io/advisories/erpscan-16-012/", "name": "https://erpscan.io/advisories/erpscan-16-012/", "refsource": "MISC"}, {"url": "https://www.exploit-db.com/exploits/39996/", "name": "39996", "refsource": "EXPLOIT-DB"}, {"url": "https://launchpad.support.sap.com/#/notes/2234971", "name": "https://launchpad.support.sap.com/#/notes/2234971", "refsource": "MISC"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "eng", "value": "Directory traversal vulnerability in SAP NetWeaver AS Java 7.1 through 7.5 allows remote attackers to read arbitrary files via a ..\\ (dot dot backslash) in the fileName parameter to CrashFileDownloadServlet, aka SAP Security Note 2234971."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2016-3976", "STATE": "PUBLIC", "ASSIGNER": "cve@mitre.org"}}}}, "cveMetadata": {"cveId": "CVE-2016-3976", "state": "PUBLISHED", "dateUpdated": "2025-02-04T21:05:07.499Z", "dateReserved": "2016-04-07T00:00:00.000Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2016-04-07T23:00:00.000Z", "assignerShortName": "mitre"}, "dataVersion": "5.1"}

{"cisaActionDue": "2022-05-03", "cisaExploitAdd": "2021-11-03", "cisaRequiredAction": "Apply updates per vendor instructions.", "cisaVulnerabilityName": "SAP NetWeaver Directory Traversal Vulnerability", "configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:sap:netweaver_application_server_java:*:*:*:*:*:*:*:*", "matchCriteriaId": "70F75AAE-5A52-4B9A-B8E8-8E1BE573B21D", "versionEndIncluding": "7.50", "versionStartIncluding": "7.10", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Directory traversal vulnerability in SAP NetWeaver AS Java 7.1 through 7.5 allows remote attackers to read arbitrary files via a ..\\ (dot dot backslash) in the fileName parameter to CrashFileDownloadServlet, aka SAP Security Note 2234971."}, {"lang": "es", "value": "Vulnerabilidad de salto de directorio en SAP NetWeaver AS Java 7.1 hasta la versi\u00f3n 7.5 permite a atacantes remotos leer archivos arbitrarios a trav\u00e9s de ..\\ (punto punto barra invertida) en el par\u00e1metro fileName para CrashFileDownloadServlet, tambi\u00e9n conocida como SAP Security Note 2234971."}], "id": "CVE-2016-3976", "lastModified": "2025-10-22T00:15:52.260", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2016-04-07T23:59:10.797", "references": [{"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory", "VDB Entry"], "url": "http://packetstormsecurity.com/files/137528/SAP-NetWeaver-AS-JAVA-7.5-Directory-Traversal.html"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Mailing List", "Third Party Advisory"], "url": "http://seclists.org/fulldisclosure/2016/Jun/40"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://erpscan.io/advisories/erpscan-16-012/"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://erpscan.io/press-center/blog/sap-security-notes-march-2016-review/"}, {"source": "cve@mitre.org", "tags": ["Permissions Required"], "url": "https://launchpad.support.sap.com/#/notes/2234971"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory", "VDB Entry"], "url": "https://www.exploit-db.com/exploits/39996/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory", "VDB Entry"], "url": "http://packetstormsecurity.com/files/137528/SAP-NetWeaver-AS-JAVA-7.5-Directory-Traversal.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Mailing List", "Third Party Advisory"], "url": "http://seclists.org/fulldisclosure/2016/Jun/40"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://erpscan.io/advisories/erpscan-16-012/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://erpscan.io/press-center/blog/sap-security-notes-march-2016-review/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Permissions Required"], "url": "https://launchpad.support.sap.com/#/notes/2234971"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory", "VDB Entry"], "url": "https://www.exploit-db.com/exploits/39996/"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2016-3976"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-22"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}