CVE-2019-10246 — Exposure of Sensitive Information Due to Incompatible Policies in Eclipse Foundation Eclipse Jetty

CWE-213 — Exposure of Sensitive Information Due to Incompatible Policies CWE-200 — Sensitive Information Exposure6 documents6 sources

Severity

5.3MEDIUMNVD

EPSS

2.6%

top 14.41%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Netapp Oncommand System Manager Oracle Flexcube Core Banking THE Eclipse Foundation Eclipse Jetty +18 more

Timeline

PublishedApr 22

Latest updateApr 23

Description

In Eclipse Jetty version 9.2.27, 9.3.26, and 9.4.16, the server running on Windows is vulnerable to exposure of the fully qualified Base Resource directory name on Windows to a remote client when it is configured for showing a Listing of directory contents. This information reveal is restricted to only the content in the configured base resource directories.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages21 packages

▶NVDeclipse/jetty9.2.27, 9.3.26, 9.4.16+2

▶NVDoracle/unified_directory12.2.1.3.0, 12.2.1.4.0+1

▶CVEListV5the_eclipse_foundation/eclipse_jetty9.2.27, 9.3.26, 9.4.16+2

▶NVDoracle/enterprise_manager_base_platform13.2, 13.3+1

▶NVDoracle/endeca_information_discovery_integrator3.2.0

🔴Vulnerability Details

GHSA

Information Exposure vulnerability in Eclipse Jetty↗2019-04-23

▶

OSV

Information Exposure vulnerability in Eclipse Jetty↗2019-04-23

▶

CVEList

CVE-2019-10246: In Eclipse Jetty version 9↗2019-04-22

▶

📋Vendor Advisories

Red Hat

jetty: Directory Listing on Windows reveals Resource Base path↗2019-04-15

▶

Debian

CVE-2019-10246: jetty9 - In Eclipse Jetty version 9.2.27, 9.3.26, and 9.4.16, the server running on Windo...↗2019

▶