• Severity Rating • Fix Information • Vulnerable Software Versions • SCAP Mappings
The Java Web Server would allow remote users to obtain the source code for CGI programs.
Note: References are provided for the convenience of the reader to help distinguish between vulnerabilities. The list is not intended to be complete.
Date Entry Created
19990607 Disclaimer: The entry creation date may reflect when the CVE-ID was allocated or reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.
Phase (Legacy)
Modified (19991203-01)
Votes (Legacy)
ACCEPT(7) Baker, Blake, Cole, Collins, Dik, Northcutt, Wall
MODIFY(1) Frech
NOOP(5) Armstrong, Bishop, Christey, Landfield, Prosser
REVIEWING(1) Ozancin
Comments (Legacy)
 Wall> Acknowledged by vendor at
 Baker> Vulnerability Reference (HTML)	Reference Type	Misc Defensive Info Vendor Info
 Christey> BID:1891
 Christey> Add version number (1.1 beta) and details of attack (appending
   a . or a \)
   The Sun URL referenced by Dave Baker no longer exists, so I
   wasn't able to verify that it addressed the problem described
   in the Bugtraq post.  This might not even be Sun's
   "Java Web Server," as CVE-2001-0186 describes some product
   called "Free Java Web Server"
 Dik> There appears to be some confusion.
   The particular bug seems to be on in JWS 1.1beta or 1.1 which was fixed
   in 1.1.2 (get foo.jthml source by appending "." of "\" to URL)
   There are other bugs that give access and that require a configuration
 Christey> Need to make sure to create CAN's for the other bugs,
   as documented in:
   NTBUGTRAQ:19980724 Alert: New Source Bug Affect Sun JWS
   BUGTRAQ:19980725 Alert: New Source Bug Affect Sun JWS
   The reported bugs are:
   1) file read by appending %20
   2) Directly call /servlet/file
   #2 is explicitly mentioned in the Sun advisory for
 CHANGE> [Frech changed vote from REVIEWING to MODIFY]
 Frech> XF:javawebserver-cgi-source(5383)

Proposed (Legacy)
This is an entry on the CVE list, which standardizes names for security problems.