PT-2019-3889 · Eclipse · Eclipse Jetty

Published

2019-04-18

Updated

2021-06-14

CVE-2019-10246

CVSS v3.1

5.3

Medium

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Name of the Vulnerable Software and Affected Versions Eclipse Jetty versions 9.2.27, 9.3.26, and 9.4.16

Description The issue is related to the exposure of the fully qualified Base Resource directory name on Windows to a remote client when the server is configured to show a listing of directory contents. This information reveal is restricted to only the content in the configured base resource directories.

Recommendations For Eclipse Jetty version 9.2.27, consider disabling the directory listing feature to prevent exposure of sensitive information. For Eclipse Jetty version 9.3.26, restrict access to the base resource directories to minimize the risk of exploitation. For Eclipse Jetty version 9.4.16, avoid configuring the server to show directory contents until a fix is available.

Fix

Information Disclosure

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-200CWE-213

Related Identifiers

BDU:2019-04282

CVE-2019-10246

GHSA-R28M-G6J9-R2H5

Affected Products

Eclipse Jetty

PT-2019-3889 · Eclipse · Eclipse Jetty

CVE-2019-10246

Weakness Enumeration

Related Identifiers

Affected Products

References · 22