I had a hard time reproducing the vulnerability with a simple helloworld war + Winstone, so I dug a little deeper and found there is code to prevent requests to WEB-INF in the Stapler framework which doesn't take into account all possible scenarios. I have created a patch and opened a pull request which you can follow @ https://github.com/stapler/stapler/pull/6/files
Cheers, J -- View this message in context: http://jenkins.361315.n4.nabble.com/Verification-of-inability-to-remediate-vulnerability-in-Jenkins-tp4537925p4539230.html Sent from the Jenkins users mailing list archive at Nabble.com.
