CVE-2016-3976
Published: 07 April 2016
Summary
CVE-2016-3976 is a high-severity Path Traversal (CWE-22) vulnerability in Sap Netweaver Application Server Java. Its CVSS base score is 7.5 (High).
Operationally, ranked in the top 1.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2016-3976 is a directory traversal vulnerability, tracked as CWE-22, that affects SAP NetWeaver AS Java versions 7.1 through 7.5. The flaw resides in CrashFileDownloadServlet and permits an attacker to supply a ..\ sequence in the fileName parameter, enabling read access to arbitrary files on the underlying system. It carries a CVSS 3.1 base score of 7.5 with a network attack vector and no required authentication or user interaction.
Remote unauthenticated attackers can exploit the issue over the network to retrieve sensitive files, resulting in high-impact confidentiality exposure while leaving integrity and availability unaffected. Public exploit code and proof-of-concept reports have been published that demonstrate file retrieval against the servlet endpoint.
SAP Security Note 2234971 addresses the vulnerability and is referenced by multiple disclosure sources as the official remediation channel; practitioners should apply the note according to SAP guidance to close the traversal vector.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2016-4985
Vulnerability details
Directory traversal vulnerability in SAP NetWeaver AS Java 7.1 through 7.5 allows remote attackers to read arbitrary files via a ..\ (dot dot backslash) in the fileName parameter to CrashFileDownloadServlet, aka SAP Security Note 2234971.
- CWE(s)
- KEV Date Added
- 03 November 2021
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Enforces access restrictions on CrashFileDownloadServlet so that unauthenticated traversal requests cannot retrieve arbitrary files.
Validates the fileName parameter to reject path-traversal sequences such as ..\ before the servlet processes the download.
Requires prompt application of SAP Note 2234971 to eliminate the directory-traversal flaw in the affected servlet.