CVE-2019-10241

CWE-79 — Cross-site Scripting (XSS)9 documents7 sources

Severity

6.1MEDIUM

EPSS

9.7%

top 7.08%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

THE Eclipse Foundation Eclipse Jetty Oracle Flexcube Core Banking Apache Activemq +5 more

Timeline

PublishedApr 22

Latest updateMay 3

Description

In Eclipse Jetty version 9.2.26 and older, 9.3.25 and older, and 9.4.15 and older, the server is vulnerable to XSS conditions if a remote client USES a specially formatted URL against the DefaultServlet or ResourceHandler that is configured for showing a Listing of directory contents.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages9 packages

▶Mavenorg.eclipse.jetty:jetty-server9.3.0 — 9.3.26.v20190403+2

▶CVEListV5the_eclipse_foundation/eclipse_jettyunspecified — 9.2.26+2

▶NVDeclipse/jetty69 versions+68

▶Debianjetty9< 9.4.18-2+3

▶NVDoracle/flexcube_core_banking11.5.0 — 11.7.0+1

Also affects: Debian Linux 10.0, 9.0

Patches

Patch: www.oracle.com ↗Patch: www.oracle.com ↗Patch: www.oracle.com ↗

🔴Vulnerability Details

GHSA

Cross-site Scripting in Eclipse Jetty↗2019-04-23

▶

OSV

Cross-site Scripting in Eclipse Jetty↗2019-04-23

▶

CVEList

CVE-2019-10241: In Eclipse Jetty version 9↗2019-04-22

▶

OSV

CVE-2019-10241: In Eclipse Jetty version 9↗2019-04-22

▶

📋Vendor Advisories

Red Hat

jetty: using specially formatted URL against DefaultServlet or ResourceHandler leads to XSS conditions↗2019-04-22

▶

Debian

CVE-2019-10241: jetty9 - In Eclipse Jetty version 9.2.26 and older, 9.3.25 and older, and 9.4.15 and olde...↗2019

▶

💬Community

Bugzilla

CVE-2019-10241 jetty: using specially formatted URL against DefaultServlet or ResourceHandler leads to XSS conditions [fedora-all]↗2019-05-03

▶

Bugzilla

CVE-2019-10241 jetty: using specially formatted URL against DefaultServlet or ResourceHandler leads to XSS conditions↗2019-05-03

▶