Free and open-source vulnerability scanner

Mageni eases for you the vulnerability scanning, assessment, and management process. It is free and open-source.

Install Now

Available for macOS, Windows, and Linux

App screenshot

'/%20..\WEB-INF/' Information Disclosure Vulnerability (HTTP)

Information

Severity

Severity

Medium

Family

Family

Web Servers

CVSSv2 Base

CVSSv2 Base

5.0

CVSSv2 Vector

CVSSv2 Vector

AV:N/AC:L/Au:N/C:P/I:N/A:N

Solution Type

Solution Type

Vendor Patch

Created

Created

3 years ago

Modified

Modified

3 years ago

Summary

Various application or web servers / products are prone to an information disclosure vulnerability.

Insight

Insight

The servlet specification prohibits servlet containers from serving resources in the '/WEB-INF' and '/META-INF' directories of a web application archive directly to clients. This means that URLs like: http://example.com/WEB-INF/web.xml will return an error message, rather than the contents of the deployment descriptor. However, some application or web servers / products are prone to a vulnerability that exposes this information if the client requests a URL like this instead: http://example.com/%20..\WEB-INF/web.xml http://example.com/%20..\web-inf/web.xml (note the '%20..\' before 'WEB-INF').

Affected Software

Affected Software

The following products are known to be affected: - Caucho Resin v3.1.0 and v3.0.17 through v3.0.21 for Windows. - Caucho Resin Professional v3.1.0 for Windows. Other products might be affected as well.

Detection Method

Detection Method

Sends a crafted HTTP GET request and checks the response.

Solution

Solution

The following vendor fixes are known: - Caucho Resin v3.1.1 for Windows. - Caucho Resin Professional v3.1.1 for Windows. For other products please contact the vendor for more information on possible fixes.

Common Vulnerabilities and Exposures (CVE)