PatchSiren cyber security CVE debrief

CVE-2016-4314 Wso2 CVE debrief

CVE-2016-4314 is a directory traversal vulnerability in the LogViewer Admin Service of WSO2 Carbon 4.4.5. According to the NVD description, a remote authenticated administrator can supply dot-dot sequences in the logFile parameter to downloadgz-ajaxprocessor.jsp and read arbitrary files. NVD assigns CWE-22 and a CVSS 3.0 score of 4.9 (MEDIUM).

Vendor: Wso2
Product: CVE-2016-4314
CVSS: MEDIUM 4.9
CISA KEV: Not listed in stored evidence
Original CVE published: 2017-02-17
Original CVE updated: 2026-05-13
Advisory published: 2017-02-17
Advisory updated: 2026-05-13

Who should care

Administrators and security teams running WSO2 Carbon 4.4.5, especially environments exposing the LogViewer Admin Service to remote administrative access. Because the issue requires high privileges, the main concern is misuse of legitimate admin access rather than unauthenticated exposure.

Technical summary

The flaw is a path traversal / local file inclusion style issue in the LogViewer Admin Service. The vulnerable request path is downloadgz-ajaxprocessor.jsp, and the logFile parameter can be manipulated with '..' sequences to reach files outside the intended directory. NVD’s CVSS vector (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N) indicates network reachability, low attack complexity, no user interaction, and required high privileges, with confidentiality impact only.

Defensive priority

Medium. The issue is exploitable over the network but requires authenticated administrator privileges, and the NVD score reflects confidentiality impact rather than integrity or availability impact. Prioritize remediation where WSO2 Carbon 4.4.5 is still in use or where administrative accounts are broadly delegated.

Recommended defensive actions

Verify whether any instance of WSO2 Carbon 4.4.5 is deployed and whether the LogViewer Admin Service is enabled or reachable.
Apply the vendor-referenced security update or mitigation guidance from WSO2 Security Advisory WSO2-2016-0098.
Restrict and monitor remote administrative access to the LogViewer Admin Service, especially accounts with broad privileges.
Review logs for unusual requests to downloadgz-ajaxprocessor.jsp and for logFile values containing path traversal patterns.
If upgrading or patching is not immediately possible, disable or isolate the affected administrative functionality where operationally feasible.

Evidence notes

The CVE description supplied in the source corpus states that directory traversal in the LogViewer Admin Service of WSO2 Carbon 4.4.5 allows remote authenticated administrators to read arbitrary files via '..' in the logFile parameter to downloadgz-ajaxprocessor.jsp. NVD also lists CPE 2.3 cpe:2.3:a:wso2:carbon:4.4.5:*:*:*:*:*:*:* as vulnerable, CWE-22 as the primary weakness, and CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N. The reference set includes a vendor advisory/patch reference and third-party advisories; this debrief does not rely on any exploit details from those references.

Official resources

CVE-2016-4314 CVE record
CVE.org
CVE-2016-4314 NVD detail
NVD
Source item URL
nvd_modified
Mitigation or vendor reference
[email protected] - Exploit, Third Party Advisory
Mitigation or vendor reference
[email protected] - Exploit, Third Party Advisory, VDB Entry
Source reference
[email protected]
Mitigation or vendor reference
[email protected] - Third Party Advisory, VDB Entry
Mitigation or vendor reference
[email protected] - Patch, Vendor Advisory
Mitigation or vendor reference
[email protected] - Exploit, Third Party Advisory, VDB Entry

Publicly disclosed in the CVE record on 2017-02-17T02:59:12Z and later modified in the source database on 2026-05-13T00:24:29.033Z. This entry is not marked as KEV in the supplied data.