The version of F5 Networks BIG-IP installed on the remote host is prior to 15.1.9 / 16.1.4 / 17.1.1. It is, therefore, affected by a vulnerability as referenced in the K33548065 advisory.

    In Eclipse Jetty Server, all 9.x versions, on webapps deployed using default Error Handling, when an     intentionally bad query arrives that doesn't match a dynamic url-pattern, and is eventually handled by the     DefaultServlet's static file serving, the bad characters can trigger a java.nio.file.InvalidPathException     which includes the full path to the base resource directory that the DefaultServlet and/or webapp is     using. If this InvalidPathException is then handled by the default Error Handler, the InvalidPathException     message is included in the error response, revealing the full server path to the requesting     system.(CVE-2018-12536)ImpactAn authenticated user can see the back-end directory, which should not be     accessed through remote access.

Tenable has extracted the preceding description block directly from the F5 Networks BIG-IP security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Detections

Analytics

F5 Networks BIG-IP : Eclipse Jetty vulnerability (K33548065)

medium Nessus Plugin ID 159281

Version 1.6