CVE-2019-10247

Name of the Vulnerable Software and Affected Versions Eclipse Jetty versions 7.x through 9.4.16

Description The issue is related to the lack of protection for service data in the Eclipse Jetty servlet container. This can allow a remote attacker to disclose protected information. Specifically, in Eclipse Jetty versions 7.x, 8.x, 9.2.27 and older, 9.3.26 and older, and 9.4.16 and older, the server reveals the configured fully qualified directory base resource location on the output of the 404 error for not finding a Context that matches the requested path. The default server behavior includes a DefaultHandler at the end of the Handler tree, which is responsible for reporting this 404 error and presents the various configured contexts as HTML for users to click through to, including the configured fully qualified directory base resource location for each context.

Recommendations For Eclipse Jetty versions 7.x through 9.4.16, consider disabling the DefaultHandler function until a patch is available to prevent the disclosure of protected information. Restrict access to the configured contexts to minimize the risk of exploitation. Avoid using the default server behavior that includes the configured fully qualified directory base resource location in the 404 error output. At the moment, there is no information about a newer version that contains a fix for this vulnerability.