Home

CVE-2019-10247

Description

In Eclipse Jetty version 7.x, 8.x, 9.2.27 and older, 9.3.26 and older, and 9.4.16 and older, the server running on any OS and Jetty version combination will reveal the configured fully qualified directory base resource location on the output of the 404 error for not finding a Context that matches the requested path. The default server behavior on jetty-distribution and jetty-home will include at the end of the Handler tree a DefaultHandler, which is responsible for reporting this 404 error, it presents the various configured contexts as HTML for users to click through to. This produced HTML includes output that contains the configured fully qualified directory base resource location for each context.

Risk Information

Base Score
5.3
MODERATE
Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
EPSS Score
Exploitation Probability
6.477

Associated Vulnerability

VulnerabilityOS Platform
Vulnerabilities CVE-2019-10246,CVE-2019-10247 are fixed in Eclipse-jetty-server 9.2.28Windows
Vulnerabilities CVE-2019-10246,CVE-2019-10247 are fixed in Eclipse-jetty-server 9.3.27Windows
Vulnerabilities CVE-2019-10246,CVE-2019-10247 are fixed in Eclipse-jetty-server 9.4.17Windows
Multiple Vulnerabilities are affected in Netapp Snapcenter 2.3Windows
Multiple Vulnerabilities are affected in IBM Cognos Analytics 11.0Windows
Multiple Vulnerabilities are affected in IBM Cognos Analytics 11.1Windows
Multiple Vulnerabilities are affected in IBM Operational Decision Manager 8.11.0.1Windows
Multiple Vulnerabilities are affected in IBM Operational Decision Manager 8.11.1Windows
Multiple Vulnerabilities are affected in IBM Operational Decision Manager 8.10.4Windows
Multiple Vulnerabilities are affected in IBM Operational Decision Manager 8.10.5.2Windows
Multiple Vulnerabilities are affected in IBM Operational Decision Manager 8.12.0.1Windows
jetty9 security update(DSA-4949-1) jetty9_9.4.16-0+deb10u1_all.debLinux
Vulnerabilities CVE-2019-10246,CVE-2019-10247 are fixed in Eclipse-jetty-server for Linux 9.2.28Linux
Vulnerabilities CVE-2019-10246,CVE-2019-10247 are fixed in Eclipse-jetty-server for Linux 9.3.27Linux
Vulnerabilities CVE-2019-10246,CVE-2019-10247 are fixed in Eclipse-jetty-server for Linux 9.4.17Linux
Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2019-10247)NCM

Patch Details

No records found

References

https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234