CVE-2019-10246 - Vulnerability Details

In Eclipse Jetty version 9.2.27, 9.3.26, and 9.4.16, the server running on Windows is vulnerable to exposure of the fully qualified Base Resource directory name on Windows to a remote client when it is configured for showing a Listing of directory contents. This information reveal is restricted to only the content in the configured base resource directories.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

This CVE is not in the KEV list.

The EPSS score is 0.02675.

Key SSVC decision points have not yet been added.

Vendors	Products
Eclipse Subscribe	Jetty Subscribe
Microsoft Subscribe	Windows Subscribe
Netapp Subscribe	Element Subscribe Oncommand System Manager Subscribe Snap Creator Framework Subscribe Snapcenter Subscribe Snapmanager Subscribe Storage Replication Adapter For Clustered Data Ontap Subscribe Storage Services Connector Subscribe Vasa Provider For Clustered Data Ontap Subscribe Virtual Storage Console Subscribe
Oracle Subscribe	Autovue Subscribe Communications Analytics Subscribe Communications Element Manager Subscribe Communications Services Gatekeeper Subscribe Communications Session Report Manager Subscribe Communications Session Route Manager Subscribe Data Integrator Subscribe Endeca Information Discovery Integrator Subscribe Enterprise Manager Base Platform Subscribe Flexcube Core Banking Subscribe Flexcube Private Banking Subscribe Hospitality Guest Access Subscribe Rest Data Services Subscribe Retail Xstore Point Of Service Subscribe Unified Directory Subscribe

Configuration 1 [-]

AND

OR	cpe:2.3:a:eclipse:jetty:9.2.27:20190403::::::
	cpe:2.3:a:eclipse:jetty:9.3.26:20190403::::::
	cpe:2.3:a:eclipse:jetty:9.4.16:20190411::::::

cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*

Configuration 2 [-]

OR	cpe:2.3:a:netapp:oncommand_system_manager::::::::
	cpe:2.3:a:netapp:snap_creator_framework:-:::::::*
	cpe:2.3:a:netapp:snapcenter:-:::::::*
	cpe:2.3:a:netapp:snapmanager:-:-::::oracle::*
	cpe:2.3:a:netapp:snapmanager:-:-::::sap::*
	cpe:2.3:a:netapp:storage_replication_adapter_for_clustered_data_ontap::::::vmware_vsphere::*
	cpe:2.3:a:netapp:storage_replication_adapter_for_clustered_data_ontap:9.6:::::::*
	cpe:2.3:a:netapp:storage_services_connector:-:::::::*
	cpe:2.3:a:netapp:vasa_provider_for_clustered_data_ontap::::::::
	cpe:2.3:a:netapp:vasa_provider_for_clustered_data_ontap:-:::::::*
	cpe:2.3:a:netapp:virtual_storage_console::::::vmware_vsphere::*
	cpe:2.3:a:netapp:virtual_storage_console:9.6:::::::*
	cpe:2.3:o:netapp:element:-:::::vcenter_server::

Configuration 3 [-]

OR	cpe:2.3:a:oracle:autovue:21.0.2:::::::*
	cpe:2.3:a:oracle:communications_analytics:12.1.1:::::::*
	cpe:2.3:a:oracle:communications_element_manager:8.0.0:::::::*
	cpe:2.3:a:oracle:communications_element_manager:8.1.0:::::::*
	cpe:2.3:a:oracle:communications_element_manager:8.1.1:::::::*
	cpe:2.3:a:oracle:communications_element_manager:8.2.0:::::::*
	cpe:2.3:a:oracle:communications_services_gatekeeper:6.0:::::::*
	cpe:2.3:a:oracle:communications_services_gatekeeper:6.1:::::::*
	cpe:2.3:a:oracle:communications_services_gatekeeper:7.0:::::::*
	cpe:2.3:a:oracle:communications_session_report_manager:8.0.0:::::::*
	cpe:2.3:a:oracle:communications_session_report_manager:8.1.0:::::::*
	cpe:2.3:a:oracle:communications_session_report_manager:8.1.1:::::::*
	cpe:2.3:a:oracle:communications_session_report_manager:8.2.0:::::::*
	cpe:2.3:a:oracle:communications_session_route_manager:8.0.0:::::::*
	cpe:2.3:a:oracle:communications_session_route_manager:8.1.0:::::::*
	cpe:2.3:a:oracle:communications_session_route_manager:8.1.1:::::::*
	cpe:2.3:a:oracle:communications_session_route_manager:8.2.0:::::::*
	cpe:2.3:a:oracle:data_integrator:12.2.1.3.0:::::::*
	cpe:2.3:a:oracle:data_integrator:12.2.1.4.0:::::::*
	cpe:2.3:a:oracle:endeca_information_discovery_integrator:3.2.0:::::::*
	cpe:2.3:a:oracle:enterprise_manager_base_platform:13.2:::::::*
	cpe:2.3:a:oracle:enterprise_manager_base_platform:13.3:::::::*
	cpe:2.3:a:oracle:flexcube_core_banking::::::::
	cpe:2.3:a:oracle:flexcube_core_banking:5.2.0:::::::*
	cpe:2.3:a:oracle:flexcube_private_banking:12.0.0:::::::*
	cpe:2.3:a:oracle:flexcube_private_banking:12.1.0:::::::*
	cpe:2.3:a:oracle:hospitality_guest_access:4.2.0:::::::*
	cpe:2.3:a:oracle:hospitality_guest_access:4.2.1:::::::*
	cpe:2.3:a:oracle:rest_data_services:11.2.0.4::::-:::
	cpe:2.3:a:oracle:rest_data_services:12.1.0.2::::-:::
	cpe:2.3:a:oracle:rest_data_services:12.2.0.1::::-:::
	cpe:2.3:a:oracle:rest_data_services:18c::::-:::
	cpe:2.3:a:oracle:retail_xstore_point_of_service:7.1:::::::*
	cpe:2.3:a:oracle:retail_xstore_point_of_service:15.0:::::::*
	cpe:2.3:a:oracle:retail_xstore_point_of_service:16.0:::::::*
	cpe:2.3:a:oracle:retail_xstore_point_of_service:17.0:::::::*
	cpe:2.3:a:oracle:unified_directory:12.2.1.3.0:::::::*
	cpe:2.3:a:oracle:unified_directory:12.2.1.4.0:::::::*

No data.

Advisories

Source	ID	Title
EUVD	EUVD-2019-0430	In Eclipse Jetty version 9.2.27, 9.3.26, and 9.4.16, the server running on Windows is vulnerable to exposure of the fully qualified Base Resource directory name on Windows to a remote client when it is configured for showing a Listing of directory contents. This information reveal is restricted to only the content in the configured base resource directories.
Github GHSA	GHSA-r28m-g6j9-r2h5	Information Exposure vulnerability in Eclipse Jetty

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://bugs.eclipse.org/bugs/show_bug.cgi?id=546576
https://github.com/eclipse/jetty.project/issues/3549
https://lists.apache.org/thread.html/bcce5a9c532b386c68dab2f6b3ce8b0cc9b950ec551766e76391caa3%40%3Ccommits.nifi.apache.org%3E
https://lists.apache.org/thread.html/rca37935d661f4689cb4119f1b3b224413b22be161b678e6e6ce0c69b%40%3Ccommits.nifi.apache.org%3E
https://nvd.nist.gov/vuln/detail/CVE-2019-10246
https://security.netapp.com/advisory/ntap-20190509-0003/
https://www.cve.org/CVERecord?id=CVE-2019-10246
https://www.oracle.com/security-alerts/cpuApr2021.html
https://www.oracle.com/security-alerts/cpuapr2020.html
https://www.oracle.com/security-alerts/cpujan2020.html
https://www.oracle.com/security-alerts/cpujan2021.html
https://www.oracle.com/security-alerts/cpujul2020.html
https://www.oracle.com/security-alerts/cpuoct2020.html
https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html

History

No history.

Projects

Sign in to view the affected projects.

MITRE

Status: PUBLISHED

Assigner: eclipse

Published: 2019-04-22T20:14:49

Updated: 2024-08-04T22:17:19.655Z

Reserved: 2019-03-27T00:00:00

Link: CVE-2019-10246

Vulnrichment

No data.

NVD

Status : Modified

Published: 2019-04-22T20:29:00.303

Modified: 2024-11-21T04:18:44.090

Link: CVE-2019-10246

Redhat

Severity : Low

Publid Date: 2019-04-15T00:00:00Z

Links: CVE-2019-10246 - Bugzilla

OpenCVE Enrichment

No data.

Weaknesses

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

Affected Vendors & Products

Projects

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

Affected Vendors & Products

Projects

JSON object

JSON object

JSON object

JSON object

JSON object