module

Jetty WEB-INF File Disclosure

Try Surface Command
Back to search
Disclosed
Jul 15, 2021
Created
Nov 13, 2021

Description

Jetty suffers from a vulnerability where certain encoded URIs and ambiguous paths can access
protected files in the WEB-INF folder. Versions effected are:
9.4.37.v20210219, 9.4.38.v20210224 and 9.4.37-9.4.42, 10.0.1-10.0.5, 11.0.1-11.0.5.
Exploitation can obtain any file in the WEB-INF folder, but web.xml is most likely
to have information of value.

Authors

h00die
Mayank Deshmukh
cangqingzhe
lachlan roberts [email protected]
charlesk40

References

Module Options

To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':


    msf > use auxiliary/gather/jetty_web_inf_disclosure
    msf auxiliary(jetty_web_inf_disclosure) > show actions
        ...actions...
    msf auxiliary(jetty_web_inf_disclosure) > set ACTION < action-name >
    msf auxiliary(jetty_web_inf_disclosure) > show options
        ...show and set options...
    msf auxiliary(jetty_web_inf_disclosure) > run
Title
NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.

Try it today