JBoss org.jboss.web.WebServer Class Multiple Vulnerabilities (Source Disc, ID)

medium Nessus Plugin ID 18526

Synopsis

The remote web server is affected by an information disclosure flaw.

Description

The remote JBoss server is vulnerable to an information disclosure flaw that could allow an attacker to retrieve the physical path of the server installation, its security policy, or to guess its exact version number. An attacker may use this flaw to gain more information about the remote configuration.

Solution

Upgrade to JBoss 3.2.8 or 4.0.3. Or edit JBoss' 'jboss-service.xml' configuration file, set 'DownloadServerClasses' to 'false', and restart the server.

See Also

https://marc.info/?l=bugtraq&m=111911095424496&w=2

http://www.securityfocus.com/advisories/10104

Plugin Details

Severity: Medium

ID: 18526

File Name: jboss_config_disclosure.nasl

Version: 1.22

Type: remote

Family: CGI abuses

Published: 6/18/2005

Updated: 1/19/2021

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 4.9

CVSS v2

Risk Factor: Medium

Base Score: 5

Temporal Score: 4.1

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

Vulnerability Information

CPE: cpe:/a:jboss:jboss

Exploit Available: true

Exploit Ease: Exploits are available

Exploited by Nessus: true

Vulnerability Publication Date: 6/17/2005

Exploitable With

Elliot (RedHat JBoss File Disclosure)

Reference Information

CVE: CVE-2005-2006, CVE-2006-0656

BID: 13985, 16571