CVE-2018-12536Information Exposure via Error Message in Eclipse Foundation Eclipse Jetty

CWE-209Information Exposure via Error Message9 documents7 sources
Severity
5.3MEDIUMNVD
EPSS
3.3%
top 12.74%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
THE Eclipse Foundation Eclipse JettyEclipse JettyOracle Retail Xstore Point OF Service
Timeline
PublishedJun 27
Latest updateOct 19

Description

In Eclipse Jetty Server, all 9.x versions, on webapps deployed using default Error Handling, when an intentionally bad query arrives that doesn't match a dynamic url-pattern, and is eventually handled by the DefaultServlet's static file serving, the bad characters can trigger a java.nio.file.InvalidPathException which includes the full path to the base resource directory that the DefaultServlet and/or webapp is using. If this InvalidPathException is then handled by the default Error Handler, the

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages3 packages

NVDeclipse/jetty9.3.09.3.24+2
CVEListV5the_eclipse_foundation/eclipse_jetty9.3.0unspecified+4

Patches

Patch: www.oracle.comPatch: www.oracle.com

🔴Vulnerability Details

4
GHSA
Eclipse Jetty Server generates error message containing sensitive information2018-10-19
OSV
Eclipse Jetty Server generates error message containing sensitive information2018-10-19
CVEList
CVE-2018-12536: In Eclipse Jetty Server, all 92018-06-27
OSV
CVE-2018-12536: In Eclipse Jetty Server, all 92018-06-27

📋Vendor Advisories

2
Red Hat
jetty: full server path revealed when using the default Error Handling2018-06-27
Debian
CVE-2018-12536: jetty9 - In Eclipse Jetty Server, all 9.x versions, on webapps deployed using default Err...2018

💬Community

2
Bugzilla
CVE-2018-12536 jetty: full server path revealed when using the default Error Handling2018-07-02
Bugzilla
CVE-2018-12536 jetty: full server path revealed when using the default Error Handling [fedora-all]2018-07-02
CVE-2018-12536 — Information Exposure via Error Message | cvebase