CVE-2019-17632

CWE-79 — Cross-site Scripting (XSS)9 documents7 sources

Severity

6.1MEDIUM

EPSS

1.5%

top 19.19%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

THE Eclipse Foundation Eclipse Jetty Eclipse Jetty

Timeline

PublishedNov 25

Latest updateDec 9

Description

In Eclipse Jetty versions 9.4.21.v20190926, 9.4.22.v20191022, and 9.4.23.v20191118, the generation of default unhandled Error response content (in text/html and text/json Content-Type) does not escape Exception messages in stacktraces included in error output.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages4 packages

▶Mavenorg.eclipse.jetty:jetty-server9.4.21.v20190926 — 9.4.24.v20191120+2

▶NVDeclipse/jetty9.4.21, 9.4.22, 9.4.23+2

▶CVEListV5the_eclipse_foundation/eclipse_jetty9.4.21.v20190926, 9.4.22.v20191022, 9.4.23.v20191118+2

▶Debianjetty9< 9.4.26-1+3

🔴Vulnerability Details

GHSA

Unescaped exception messages in error responses in Jetty↗2019-12-02

▶

OSV

Unescaped exception messages in error responses in Jetty↗2019-12-02

▶

OSV

CVE-2019-17632: In Eclipse Jetty versions 9↗2019-11-25

▶

CVEList

CVE-2019-17632: In Eclipse Jetty versions 9↗2019-11-25

▶

📋Vendor Advisories

Red Hat

jetty: generation of default unhandled error response content does not escape exception messages in stacktraces included in error output↗2019-11-25

▶

Debian

CVE-2019-17632: jetty9 - In Eclipse Jetty versions 9.4.21.v20190926, 9.4.22.v20191022, and 9.4.23.v201911...↗2019

▶

💬Community

Bugzilla

CVE-2019-17632 jetty: generation of default unhandled error response content does not escape exception messages in stacktraces included in error output [fedora-all]↗2019-12-09

▶

Bugzilla

CVE-2019-17632 jetty: generation of default unhandled error response content does not escape exception messages in stacktraces included in error output↗2019-12-09

▶