Home

CVE-2018-12536

Description

In Eclipse Jetty Server, all 9.x versions, on webapps deployed using default Error Handling, when an intentionally bad query arrives that doesnt match a dynamic url-pattern, and is eventually handled by the DefaultServlets static file serving, the bad characters can trigger a java.nio.file.InvalidPathException which includes the full path to the base resource directory that the DefaultServlet and/or webapp is using. If this InvalidPathException is then handled by the default Error Handler, the InvalidPathException message is included in the error response, revealing the full server path to the requesting system.

Risk Information

Base Score
5.3
MODERATE
Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
EPSS Score
Exploitation Probability
3.306

Associated Vulnerability

VulnerabilityOS Platform
Vulnerabilities CVE-2017-7658,CVE-2017-7656,CVE-2018-12536,CVE-2017-7657 are fixed in Eclipse-jetty-server 9.3.24Windows
Vulnerabilities CVE-2017-7658,CVE-2017-7656,CVE-2018-12536,CVE-2018-12538 are fixed in Eclipse-jetty-server 9.4.11Windows
Multiple Vulnerabilities are affected in IBM Sterling B2B Integrator 5.2.6.3Windows
Multiple Vulnerabilities are affected in IBM Cognos Analytics 11.0Windows
Multiple Vulnerabilities are affected in IBM Cognos Analytics 11.1Windows
Multiple Vulnerabilities are affected in IBM Operational Decision Manager 8.11.0.1Windows
Multiple Vulnerabilities are affected in IBM Operational Decision Manager 8.11.1Windows
Multiple Vulnerabilities are affected in IBM Operational Decision Manager 8.10.4Windows
Multiple Vulnerabilities are affected in IBM Operational Decision Manager 8.10.5.2Windows
Multiple Vulnerabilities are affected in IBM Operational Decision Manager 8.12.0.1Windows
Vulnerabilities CVE-2017-7658,CVE-2017-7656,CVE-2018-12536,CVE-2017-7657 are fixed in Eclipse-jetty-server for Linux 9.3.24Linux
Vulnerabilities CVE-2017-7658,CVE-2017-7656,CVE-2018-12536,CVE-2018-12538 are fixed in Eclipse-jetty-server for Linux 9.4.11Linux
CVE-2018-12536NCM

Patch Details

No records found

References

https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234