Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2016-2389Path Traversal in SAP Netweaver

CWE-22Path Traversal6 documents6 sources
Severity
7.5HIGHNVD
EPSS
83.7%
top 0.71%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
1
SAP Netweaver
Timeline
PublishedFeb 16
Latest updateMay 14

Description

Directory traversal vulnerability in the GetFileList function in the SAP Manufacturing Integration and Intelligence (xMII) component 15.0 for SAP NetWeaver 7.4 allows remote attackers to read arbitrary files via a .. (dot dot) in the Path parameter to /Catalog, aka SAP Security Note 2230978.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages1 packages

NVDsap/netweaver7.40

🔴Vulnerability Details

3
GHSA
GHSA-7r5q-xqh9-3hxf: Directory traversal vulnerability in the GetFileList function in the SAP Manufacturing Integration and Intelligence (xMII) component 152022-05-14
CVEList
CVE-2016-2389: Directory traversal vulnerability in the GetFileList function in the SAP Manufacturing Integration and Intelligence (xMII) component 152016-02-16
VulnCheck
SAP NetWeaver Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')2016

💥Exploits & PoCs

2
Exploit-DB
SAP xMII 15.0 - Directory Traversal2016-05-17
Nuclei
SAP xMII 15.0 for SAP NetWeaver 7.4 - Local File Inclusion
CVE-2016-2389 — Path Traversal in SAP Netweaver | cvebase