404 Path Disclosure Vulnerability

ambo

Member
Jun 20, 2023
3
0
6
We have recently deployed Proxmox Backup Server to take backups of our many PVE nodes.

Our security department came to us recently with the following vulnerability finding: https://www.tenable.com/plugins/nessus/11714

Description: The remote web server reveals the physical path of the webroot when asked for a non-existent page.

They also say that this is part of a number of old CVEs: CVE-2001-1372,CVE-2002-0266,CVE-2002-2008,CVE-2003-0456

This seems like something that should be easy to fix - but I don't know my way around the HTTP server being used for PBS. Any suggestions?
 
this is probably fixable only in the code, but it's also a non-issue in practice.
 
Thanks Fabian.

I agree that this doesn't actually create a practical risk - but security people don't always share those views.

Glad to see a patch has been created.