CVE-2018-12536

Name of the Vulnerable Software and Affected Versions Eclipse Jetty Server versions 9.x

Description The issue is related to the DefaultServlet's handling of intentionally bad queries that do not match a dynamic url-pattern. When such a query is handled by the DefaultServlet's static file serving, it can trigger a java.nio.file.InvalidPathException, which includes the full path to the base resource directory. If this exception is then handled by the default Error Handler, the exception message is included in the error response, revealing the full server path to the requesting system.

Recommendations For Eclipse Jetty Server versions 9.x, consider disabling the default Error Handling mechanism to prevent the disclosure of sensitive server path information. As a temporary workaround, restrict access to the DefaultServlet's static file serving functionality until a proper fix is applied. At the moment, there is no information about a newer version that contains a fix for this vulnerability.