Detections
Analytics

Mort Bay Jetty URL Multiple Slash Character Information Disclosure

medium Nessus Plugin ID 29852

Language:

Synopsis

The remote web server is affected by an information disclosure vulnerability.

Description

The remote instance of Mort Bay Jetty allows an attacker to view static content in WEB-INF and behind security constraints because of the approach it uses to compact URLs like '/foo///bar'.

Solution

Upgrade to Mort Bay Jetty 6.1.7 or later.

See Also

http://jira.codehaus.org/browse/JETTY-386#action_117699

Plugin Details

Severity: Medium

ID: 29852

File Name: jetty_double_slash_info_disclosure.nasl

Version: 1.24

Type: remote

Family: CGI abuses

Published: 1/7/2008

Updated: 4/11/2022

Configuration: Enable thorough checks

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Low

Score: 2.7

CVSS v2

Risk Factor: Medium

Base Score: 5

Temporal Score: 3.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

Vulnerability Information

CPE: cpe:/a:mortbay:jetty

Exploit Ease: No known exploits are available

Exploited by Nessus: true

Reference Information

CVE: CVE-2007-6672

BID: 27117

CWE: 22

CERT: 553235