module

Jetty WEB-INF File Disclosure

Disclosed
2021-07-15
Created
2021-11-13

Description

Jetty suffers from a vulnerability where certain encoded URIs and ambiguous paths can access
protected files in the WEB-INF folder. Versions effected are:
9.4.37.v20210219, 9.4.38.v20210224 and 9.4.37-9.4.42, 10.0.1-10.0.5, 11.0.1-11.0.5.
Exploitation can obtain any file in the WEB-INF folder, but web.xml is most likely
to have information of value.

Authors

h00die
Mayank Deshmukh
cangqingzhe
lachlan roberts lachlan@webtide.com
charlesk40

Module Options

To display the available options, load the module within the Metasploit console and run the commands ‘show options’ or ‘show advanced’:


msf > use auxiliary/gather/jetty_web_inf_disclosure
msf auxiliary(jetty_web_inf_disclosure) > show actions
...actions...
msf auxiliary(jetty_web_inf_disclosure) > set ACTION < action-name >
msf auxiliary(jetty_web_inf_disclosure) > show options
...show and set options...
msf auxiliary(jetty_web_inf_disclosure) > run

Title
NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.