module
Jetty WEB-INF File Disclosure
Disclosed | Created |
---|---|
2021-07-15 | 2021-11-13 |
Disclosed
2021-07-15
Created
2021-11-13
Description
Jetty suffers from a vulnerability where certain encoded URIs and ambiguous paths can access
protected files in the WEB-INF folder. Versions effected are:
9.4.37.v20210219, 9.4.38.v20210224 and 9.4.37-9.4.42, 10.0.1-10.0.5, 11.0.1-11.0.5.
Exploitation can obtain any file in the WEB-INF folder, but web.xml is most likely
to have information of value.
protected files in the WEB-INF folder. Versions effected are:
9.4.37.v20210219, 9.4.38.v20210224 and 9.4.37-9.4.42, 10.0.1-10.0.5, 11.0.1-11.0.5.
Exploitation can obtain any file in the WEB-INF folder, but web.xml is most likely
to have information of value.
Authors
h00die
Mayank Deshmukh
cangqingzhe
lachlan roberts lachlan@webtide.com
charlesk40
Mayank Deshmukh
cangqingzhe
lachlan roberts lachlan@webtide.com
charlesk40
References
Module Options
To display the available options, load the module within the Metasploit console and run the commands ‘show options’ or ‘show advanced’:

NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.