Description

The WEB-INF/web.xml Deployment Descriptor file describes how to deploy a web application in a servlet container such as Tomcat. Normally, this file should not be accessible. However, Acunetix WS was able to read the contents of this file by using various encodings and directory traversal variants.

Remediation

Restrict access to this file.

References

OWASP - Path Traversal

Servlet Specification - Web Application Deployment Descriptor

Related Vulnerabilities

WordPress Plugin A2 Optimized WP Information Disclosure (2.0.10.8)

WordPress Plugin Media Library Assistant Information Disclosure (3.00)

WordPress Plugin Academy LMS-eLearning and online course solution for WordPress Information Disclosure (1.9.25)

WordPress Plugin Cherry Services List Information Disclosure (1.4.1)

JBoss status servlet information leak

Severity

High

Classification

CWE-538 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Tags

Information Disclosure Test Files