CVE-2019-10247
April 22, 2019
In Eclipse Jetty version 7.x, 8.x, 9.2.27 and older, 9.3.26 and older, and 9.4.16 and older, the server running on any OS and Jetty version combination will reveal the configured fully qualified directory base resource location on the output of the 404 error for not finding a Context that matches the requested path. The default server behavior on jetty-distribution and jetty-home will include at the end of the Handler tree a DefaultHandler, which is responsible for reporting this 404 error, it presents the various configured contexts as HTML for users to click through to. This produced HTML includes output that contains the configured fully qualified directory base resource location for each context.
Affected Packages
org.eclipse.jetty:jetty-server (JAVA):
Affected version(s) >=7.0.0.v20091005 <9.2.28.v20190418Fix Suggestion:
Update to version 9.2.28.v20190418org.eclipse.jetty:jetty-server (JAVA):
Affected version(s) >=9.3.0 <9.3.27.v20190418Fix Suggestion:
Update to version 9.3.27.v20190418org.eclipse.jetty:jetty-server (JAVA):
Affected version(s) >=9.4.0.v20161208 <9.4.17.v20190418Fix Suggestion:
Update to version 9.4.17.v20190418Related ResourcesĀ (27)
Do you need more information?
Contact UsCVSS v4
Base Score:
6.9
Attack Vector
NETWORK
Attack Complexity
LOW
Attack Requirements
NONE
Privileges Required
NONE
User Interaction
NONE
Vulnerable System Confidentiality
LOW
Vulnerable System Integrity
NONE
Vulnerable System Availability
NONE
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
CVSS v3
Base Score:
5.3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
LOW
Integrity
NONE
Availability
NONE
CVSS v2
Base Score:
5.0
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
Weakness Type (CWE)
EPSS
Base Score:
6.5
