Free and open-source vulnerability scanner
Mageni eases for you the vulnerability scanning, assessment, and management process. It is free and open-source.
Install NowAvailable for macOS, Windows, and Linux
Various Application Server '/web-inf/' Information Disclosure Vulnerability (HTTP)
Information
Severity
Severity
Family
Family
CVSSv2 Base
CVSSv2 Base
CVSSv2 Vector
CVSSv2 Vector
Solution Type
Solution Type
Created
Created
Modified
Modified
Summary
Various application servers are prone to an information disclosure vulnerability.
Insight
Insight
The servlet specification prohibits servlet containers from serving resources in the '/WEB-INF' and '/META-INF' directories of a web application archive directly to clients. This means that URLs like: http://example.com:8080/WEB-INF/web.xml will return an error message, rather than the contents of the deployment descriptor. However, some application servers are prone to a vulnerability that exposes this information if the client requests a URL like this instead: http://example.com:8080/web-inf/web.xml (note the lowercase 'web-inf').
Affected Software
Affected Software
The following products are known to be affected: - Jenkins weekly up to and including 2.106. - Jenkins LTS up to and including 2.89.3. Other products might be affected as well.
Detection Method
Detection Method
Sends a crafted HTTP GET request and checks the response.
Solution
Solution
The following vendor fixes are known: - Update Jenkins weekly to version 2.107 or later. - Update Jenkins LTS to version 2.89.4 or later. For other products please contact the vendor for more information on possible fixes.