CVE-2006-3921

Sun Java System Application Server (SJSAS) 7 through 8.1 and Web Server (SJSWS) 6.0 and 6.1 allows remote authenticated users to read files outside of the "document root directory" via a direct request using a UTF-8 encoded URI.

Published: Jul 28, 2006
Updated: Nov 9, 2025
CVE: CVE-2006-3921
Severity: Low
Exploit:

CVSS v2:

Severity: Low
Score: 4
AV:N/AC:L/Au:S/C:P/I:N/A:N

No CWE or OWASP classifications available.

Affected Software
References

Software	From	Fixed in
sun / java_system_application_server	7.0-ur5	7.0-ur5.x
sun / java_system_application_server	7.0	7.0.x
sun / java_system_web_server	6.1-sp1	6.1-sp1.x
sun / java_system_application_server	7.0-ur1	7.0-ur1.x
sun / java_system_application_server	7.0-ur2	7.0-ur2.x
sun / java_system_web_server	6.0	6.0.x
sun / java_system_application_server	8.1	8.1.x
sun / java_system_web_server	6.1-sp3	6.1-sp3.x
sun / java_system_application_server	7.1	7.1.x
sun / java_system_web_server	6.1	6.1.x
sun / java_system_application_server	7.0-ur6	7.0-ur6.x
sun / java_system_web_server	6.1-sp4	6.1-sp4.x
sun / java_system_web_server	6.1-sp5	6.1-sp5.x
sun / java_system_application_server	8.1-ur1	8.1-ur1.x
sun / java_system_application_server	7.0-ur4	7.0-ur4.x
sun / java_system_web_server	6.1-sp2	6.1-sp2.x

Vulnerability Database

311,380

CVE-2006-3921

Deep Security Visibility Without the Complexity