Test ID:	1.3.6.1.4.1.25623.1.0.117709
Category:	Web Servers
Title:	'/_/WEB-INF/' Information Disclosure Vulnerability (HTTP)
Summary:	Various application or web servers / products are prone to an; information disclosure vulnerability.
Description:	Summary: Various application or web servers / products are prone to an information disclosure vulnerability. Vulnerability Insight: The servlet specification prohibits servlet containers from serving resources in the '/WEB-INF' and '/META-INF' directories of a web application archive directly to clients. This means that URLs like: http://example.com/WEB-INF/web.xml will return an error message, rather than the contents of the deployment descriptor. However, some application or web servers / products are prone to a vulnerability that exposes this information if the client requests a URL like this instead: http://example.com/_/WEB-INF/web.xml http://example.com/_/web-inf/web.xml (note the '_/' before 'WEB-INF'). Vulnerability Impact: Based on the information provided in this file an attacker might be able to gather additional info and/or sensitive data about the application / the application / web server. Affected Software/OS: The following products are known to be affected: - Atlassian Jira Server Other products might be affected as well. Solution: The following vendor fixes are known: - Update Atlassian Jira Server to the latest available version. For other products please contact the vendor for more information on possible fixes. CVSS Score: 5.0 CVSS Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N
Cross-Ref:	Common Vulnerability Exposure (CVE) ID: CVE-2019-8442 BugTraq ID: 108460 http://www.securityfocus.com/bid/108460 https://jira.atlassian.com/browse/JRASERVER-69241
Copyright	Copyright (C) 2021 Greenbone Networks GmbH

This is only one of 145615 vulnerability tests in our test suite. Find out more about running a complete security audit. To run a free test of this vulnerability against your system, register below.