Zero-friction vulnerability management platform

Mageni eases for you the vulnerability scanning, assessment, and management process. It is free and open-source.

Install Now

Available for macOS, Windows, and Linux

App screenshot

'/;/WEB-INF/' Information Disclosure Vulnerability (HTTP)

Information

Severity

Severity

Medium

Family

Family

Web Servers

CVSSv2 Base

CVSSv2 Base

5.0

CVSSv2 Vector

CVSSv2 Vector

AV:N/AC:L/Au:N/C:P/I:N/A:N

Solution Type

Solution Type

Vendor Patch

Created

Created

1 year ago

Modified

Modified

1 year ago

Summary

Various application or web servers / products are prone to an information disclosure vulnerability.

Insight

Insight

The servlet specification prohibits servlet containers from serving resources in the '/WEB-INF' and '/META-INF' directories of a web application archive directly to clients. This means that URLs like: http://example.com/WEB-INF/web.xml will return an error message, rather than the contents of the deployment descriptor. However, some application or web servers / products are prone to a vulnerability that exposes this information if the client requests a URL like this instead: http://example.com/<semicolon>/WEB-INF/web.xml http://example.com/<semicolon>/web-inf/web.xml (note the '<semicolon>/' before 'WEB-INF').

Affected Software

Affected Software

The following products are known to be affected: - Atlassian Jira Server Other products might be affected as well.

Detection Method

Detection Method

Sends a crafted HTTP GET request and checks the response.

Solution

Solution

The following vendor fixes are known: - Update Atlassian Jira Server to the latest available version. For other products please contact the vendor for more information on possible fixes.

Common Vulnerabilities and Exposures (CVE)