CVE-2011-4404

Jetty - Path Traversal

Title source: llm

Description

The default configuration of the HTTP server in Jetty in vSphere Update Manager in VMware vCenter Update Manager 4.0 before Update 4 and 4.1 before Update 2 allows remote attackers to conduct directory traversal attacks and read arbitrary files via unspecified vectors, a related issue to CVE-2009-1523.

Exploits (2)

exploitdb WRITEUP

by Alexey Sintsov · textremotewindows

https://www.exploit-db.com/exploits/18138

View Code ZIP pw:eip

metasploit WORKING POC

by Alexey Sintsov, sinn3r · rubypoc

https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/vmware/vmware_update_manager_traversal.rb

View Code ZIP pw:eip

References (4)

[Various Sources] http://jetty.codehaus.org/jetty/jetty-6/xref/org/mortbay/jetty/handler/ResourceHandler.html

[Various Sources] http://jetty.codehaus.org/jetty/jetty-6/xref/org/mortbay/jetty/servlet/DefaultServlet.html

[Patch, Vendor Advisory] http://www.vmware.com/security/advisories/VMSA-2011-0014.html

[Third Party Advisory, VDB Entry] http://www.securitytracker.com/id?1026341

Scores

EPSS 0.8332

EPSS Percentile 99.3%

Details

CWE

CWE-16

Status published

Products (2)

vmware/vcenter_update_manager 4.0 (4 CPE variants)

vmware/vcenter_update_manager 4.1 (2 CPE variants)

Published Nov 19, 2011

Tracked Since Feb 18, 2026