CVE-2019-10247
high-risk
Published 2019-04-22
In Eclipse Jetty version 7.x, 8.x, 9.2.27 and older, 9.3.26 and older, and 9.4.16 and older, the server running on any OS and Jetty version combination will reveal the configured fully qualified directory base resource location on the output of the 404 error for not finding a Context that matches the requested path. The default server behavior on jetty-distribution and jetty-home will include at the end of the Handler tree a DefaultHandler, which is responsible for reporting this 404 error, it presents the various configured contexts as HTML for users to click through to. This produced HTML includes output that contains the configured fully qualified directory base resource location for each context.
Do I need to act?
~
4.2% chance of exploitation in next 30 days
EPSS score — moderate exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
5
CVSS 5.3/10
Medium
NETWORK
/ LOW complexity
Affected Products (20)
References (36)
Issue Tracking
https://bugs.eclipse.org/bugs/show_bug.cgi?id=546577
Third Party Advisory
https://security.netapp.com/advisory/ntap-20190509-0003/
Third Party Advisory
https://www.debian.org/security/2021/dsa-4949
Third Party Advisory
https://www.oracle.com/security-alerts/cpuapr2022.html
Issue Tracking
https://bugs.eclipse.org/bugs/show_bug.cgi?id=546577
and 16 more references
61
/ 100
high-risk
Severity
21/34 · High
Exploitability
7/34 · Low
Exposure
33/34 · Critical