CVE-2019-10241

Aliases:GHSA-7vx9-xjhr-rw6h
Advisory lineage Upstream: 0 Downstream: 4
Modified
Published: 22 Apr 2019, 20:14
Last modified:04 Aug 2024, 22:17

Vulnerability Summary

Overall Risk (default)
medium
26/100
CVSS Score
6.1 MEDIUM
v3.1 (nvd)
EPSS Score
10.41% MEDIUM
10% probability +0.56%
KEV
Not listed
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected

Timeline

22 Apr 2019, 20:14
Published
Vulnerability first disclosed
04 Aug 2024, 22:17
Last Modified
Vulnerability information updated

Description

In Eclipse Jetty version 9.2.26 and older, 9.3.25 and older, and 9.4.15 and older, the server is vulnerable to XSS conditions if a remote client USES a specially formatted URL against the DefaultServlet or ResourceHandler that is configured for showing a Listing of directory contents.

CVSS Metrics

  • v3.1MEDIUMScore: 6.1CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
  • v3.0MEDIUMScore: 6.1CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
  • v2.0MEDIUMScore: 4.3AV:N/AC:M/Au:N/C:N/I:P/A:N

EPSS Trends

Current EPSS score: 10.41% Percentile: 93%

Techniques & Countermeasures

  • CWE-79Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

    The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Affected Systems

  • UnknownActiveMQ

    5.15.9

  • apachedrill

    1.16.0

  • debiandebian_linux

    9.0 | 10.0

  • eclipsejetty

    9.2.0:20140523 | 9.2.0:20140526 | 9.2.0:maintenance_0 | 9.2.0:maintenance_1 | 9.2.0:rc0 | 9.2.1:20140609 | 9.2.2:20140723 | 9.2.3:20140905 | 9.2.4:20141103 | 9.2.5:20141112 | 9.2.6:20141203 | 9.2.6:20141205 | 9.2.7:20150116 | 9.2.8:20150217 | 9.2.9:20150224 | 9.2.10:20150310 | 9.2.11:20150528 | 9.2.11:20150529 | 9.2.11:maintenance_0 | 9.2.12:20150709 | 9.2.12:maintenance_0 | 9.2.13:20150730 | 9.2.14:20151106 | 9.2.15:20160210 | 9.2.16:20160407 | 9.2.16:20160414 | 9.2.17:20160517 | 9.2.18:20160721 | 9.2.19:20160908 | 9.2.20:20161216 | 9.2.21:20170120 | 9.2.22:20170606 | 9.2.23:20171218 | 9.2.24:20180105 | 9.2.25:20180606 | 9.2.26:20180806 | 9.3.0:20150601 | 9.3.0:20150608 | 9.3.0:20150612 | 9.3.0:maintenance0 | 9.3.0:maintenance1 | 9.3.0:maintenance2 | 9.3.0:rc0 | 9.3.0:rc1 | 9.3.1:20150714 | 9.3.2:20150730 | 9.3.3:20150825 | 9.3.3:20150827 | 9.3.4:20151005 | 9.3.4:20151007 | 9.3.4:rc0 | 9.3.4:rc1 | 9.3.5:20151012 | 9.3.6:20151106 | 9.3.7:20160115 | 9.3.7:rc0 | 9.3.7:rc1 | 9.3.8:20160311 | 9.3.8:20160314 | 9.3.8:rc0 | 9.3.9:20160517 | 9.3.9:maintenance_0 | 9.3.9:maintenance_1 | 9.3.10:20160621 | 9.3.10:maintenance_0 | 9.3.11:20160721 | 9.3.11:maintenance_0 | 9.3.12:20160915 | 9.3.13:20161014 | 9.3.13:maintenance_0 | 9.3.14:20161028 | 9.3.15:20161220 | 9.3.16:20170119 | 9.3.16:20170120 | 9.3.17:20170317 | 9.3.17:rc0 | 9.3.18:20170406 | 9.3.19:20170502 | 9.3.20:20170531 | 9.3.21:20170918 | 9.3.21:maintenance_0 | 9.3.21:rc0 | 9.3.22:20171030 | 9.3.23:20180228 | 9.3.24:20180605 | 9.3.25:20180904 | 9.4.0:20161207 | 9.4.0:20161208 | 9.4.0:20180619 | 9.4.0:maintenance_0 | 9.4.0:maintenance_1 | 9.4.0:rc0 | 9.4.0:rc1 | 9.4.0:rc2 | 9.4.0:rc3 | 9.4.1:20170120 | 9.4.1:20180619 | 9.4.2:20170220 | 9.4.2:20180619 | 9.4.3:20170317 | 9.4.3:20180619 | 9.4.4:20170410 | 9.4.4:20170414 | 9.4.4:20180619 | 9.4.5:20170502 | 9.4.5:20180619 | 9.4.6:20170531 | 9.4.6:20180619 | 9.4.7:20170914 | 9.4.7:20180619 | 9.4.7:rc0 | 9.4.8:20171121 | 9.4.8:20180619 | 9.4.9:20180320 | 9.4.10:20180503 | 9.4.10:rc0 | 9.4.10:rc1 | 9.4.11:20180605 | 9.4.12:20180830 | 9.4.12:rc0 | 9.4.12:rc1 | 9.4.12:rc2 | 9.4.13:20181111 | 9.4.14:20181114 | 9.4.15:20190215

  • org.eclipse.jettyjetty-server

    < 9.2.27.v20190403 | ≥ 9.3.0, < 9.3.26.v20190403 | ≥ 9.4.0, < 9.4.16.v20190411

  • oracleflexcube_core_banking

    ≥ 11.5.0, ≤ 11.7.0 | 5.2.0

  • oraclerest_data_services

    11.2.0.4 | 12.1.0.2 | 12.2.0.1 | 18c

  • oracleretail_xstore_point_of_service

    7.1 | 15.0 | 16.0 | 17.0

  • the eclipse foundationeclipse jetty

    ≥ unspecified, ≤ 9.2.26 | ≥ unspecified, ≤ 9.3.25 | ≥ unspecified, ≤ 9.4.15

References (26)