CVE-2019-10247
Vulnerability Summary
Timeline
Description
In Eclipse Jetty version 7.x, 8.x, 9.2.27 and older, 9.3.26 and older, and 9.4.16 and older, the server running on any OS and Jetty version combination will reveal the configured fully qualified directory base resource location on the output of the 404 error for not finding a Context that matches the requested path. The default server behavior on jetty-distribution and jetty-home will include at the end of the Handler tree a DefaultHandler, which is responsible for reporting this 404 error, it presents the various configured contexts as HTML for users to click through to. This produced HTML includes output that contains the configured fully qualified directory base resource location for each context.
CVSS Metrics
- v3.1•MEDIUM•Score: 5.3CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
- v2.0•MEDIUM•Score: 5AV:N/AC:L/Au:N/C:P/I:N/A:N
EPSS Trends
Current EPSS score: 3.36%• Percentile: 88%
Techniques & Countermeasures
- CWE-200•Exposure of Sensitive Information to an Unauthorized Actor
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
- CWE-213•Exposure of Sensitive Information Due to Incompatible Policies
The product's intended functionality exposes information to certain actors in accordance with the developer's security policy, but this information is regarded as sensitive according to the intended security policies of other stakeholders such as the product's administrator, users, or others whose information is being processed.
Affected Systems
- debian•debian_linux
9.0 | 10.0
- eclipse•jetty
7.0.0:20091005 | 7.0.0:maintenance_0 | 7.0.0:maintenance_1 | 7.0.0:maintenance_2 | 7.0.0:maintenance_3 | 7.0.0:maintenance_4 | 7.0.0:rc0 | 7.0.0:rc1 | 7.0.0:rc3 | 7.0.0:rc4 | 7.0.0:rc5 | 7.0.0:rc6 | 7.0.1:20091125 | 7.0.2:20100331 | 7.0.2:rc0 | 7.1.0:20100505 | 7.1.0:rc0 | 7.1.0:rc1 | 7.1.1:20100517 | 7.1.2:20100523 | 7.1.3:20100526 | 7.1.4:20100610 | 7.1.5:20100705 | 7.1.6:20100715 | 7.2.0:20101020 | 7.2.0:rc0 | 7.2.1:20101111 | 7.2.2:20101205 | 7.3.0:20110203 | 7.3.1:20110307 | 7.4.0:20110414 | 7.4.0:rc0 | 7.4.1:20110513 | 7.4.2:20110526 | 7.4.3:20110630 | 7.4.3:20110701 | 7.4.4:20110707 | 7.4.5:20110725 | 7.5.0:20110901 | 7.5.0:rc0 | 7.5.0:rc1 | 7.5.0:rc2 | 7.5.1:20110908 | 7.5.2:20111006 | 7.5.3:20111011 | 7.5.4:20111024 | 7.6.0:20120125 | 7.6.0:20120127 | 7.6.0:rc0 | 7.6.0:rc1 | 7.6.0:rc2 | 7.6.0:rc3 | 7.6.0:rc4 | 7.6.0:rc5 | 7.6.1:20120215 | 7.6.2:20120302 | 7.6.2:20120308 | 7.6.3:20120413 | 7.6.3:20120416 | 7.6.4:20120522 | 7.6.4:20120524 | 7.6.5:20120713 | 7.6.5:20120716 | 7.6.6:20120903 | 7.6.7:20120910 | 7.6.8:20121106 | 7.6.9:20130131 | 7.6.10:20130312 | 7.6.11:20130520 | 7.6.11:20130725 | 7.6.12:20130726 | 7.6.13:20130910 | 7.6.13:20130916 | 7.6.14:20131031 | 7.6.15:20140411 | 7.6.16:20140903 | 7.6.17:20150415 | 7.6.18:20150929 | 7.6.19:20160209 | 7.6.20:20160902 | 7.6.21:20160908 | 8.0.0:20110901 | 8.0.0:maintenance_0 | 8.0.0:maintenance_1 | 8.0.0:maintenance_2 | 8.0.0:maintenance_3 | 8.0.0:rc0 | 8.0.1:20110908 | 8.0.2:20111006 | 8.0.3:20111011 | 8.0.4:20111024 | 8.1.0:20120127 | 8.1.0:rc0 | 8.1.0:rc1 | 8.1.0:rc2 | 8.1.0:rc4 | 8.1.0:rc5 | 8.1.1:20120215 | 8.1.2:20120302 | 8.1.2:20120308 | 8.1.3:20120416 | 8.1.4:20120524 | 8.1.5:20120713 | 8.1.5:20120716 | 8.1.6:20120903 | 8.1.7:20120910 | 8.1.8:20121106 | 8.1.9:20130131 | 8.1.10:20130312 | 8.1.11:20130520 | 8.1.12:20130725 | 8.1.12:20130726 | 8.1.13:20130910 | 8.1.13:20130916 | 8.1.14:20131031 | 8.1.15:20140411 | 8.1.16:20140903 | 8.1.17:20150415 | 8.1.18:20150929 | 8.1.19:20160209 | 8.1.20:20160902 | 8.1.21:20160908 | 8.1.22:20160922 | 8.2.0:20160908 | 9.0.0:20130308 | 9.0.0:m5 | 9.0.0:maintenance_0 | 9.0.0:maintenance_1 | 9.0.0:maintenance_2 | 9.0.0:maintenance_3 | 9.0.0:maintenance_4 | 9.0.0:maintenance_5 | 9.0.0:rc0 | 9.0.0:rc1 | 9.0.0:rc2 | 9.0.0:rc3 | 9.0.1:20130408 | 9.0.2:20130417 | 9.0.2:20140415 | 9.0.3:20130506 | 9.0.4:20130621 | 9.0.4:20130625 | 9.0.5:20130813 | 9.0.5:20130815 | 9.0.6:20130919 | 9.0.6:20130930 | 9.0.7:20131031 | 9.0.7:20131107 | 9.1.0:20131115 | 9.1.0:maintenance_0 | 9.1.0:rc0 | 9.1.0:rc1 | 9.1.0:rc2 | 9.1.1:20140108 | 9.1.2:20140210 | 9.1.3:20140225 | 9.1.4:20140401 | 9.1.5:20140505 | 9.1.6:20151106 | 9.1.6:20160112 | 9.2.0:20140523 | 9.2.0:20140526 | 9.2.0:maintenance_0 | 9.2.0:maintenance_1 | 9.2.0:rc0 | 9.2.1:20140609 | 9.2.2:20140723 | 9.2.3:20140905 | 9.2.4:20141103 | 9.2.5:20141112 | 9.2.6:20141203 | 9.2.6:20141205 | 9.2.7:20150116 | 9.2.8:20150217 | 9.2.9:20150224 | 9.2.10:20150310 | 9.2.11:20150528 | 9.2.11:20150529 | 9.2.11:maintenance_0 | 9.2.12:20150709 | 9.2.12:maintenance_0 | 9.2.13:20150730 | 9.2.14:20151106 | 9.2.15:20160210 | 9.2.16:20160407 | 9.2.16:20160414 | 9.2.17:20160517 | 9.2.18:20160721 | 9.2.19:20160908 | 9.2.20:20161216 | 9.2.21:20170120 | 9.2.22:20170606 | 9.2.23:20171218 | 9.2.24:20180105 | 9.2.25:20180606 | 9.2.26:20180806 | 9.2.27:20190403 | 9.3.0:20150601 | 9.3.0:20150608 | 9.3.0:20150612 | 9.3.0:maintenance0 | 9.3.0:maintenance1 | 9.3.0:maintenance2 | 9.3.0:rc0 | 9.3.0:rc1 | 9.3.1:20150714 | 9.3.2:20150730 | 9.3.3:20150825 | 9.3.3:20150827 | 9.3.4:20151005 | 9.3.4:20151007 | 9.3.4:rc0 | 9.3.4:rc1 | 9.3.5:20151012 | 9.3.6:20151106 | 9.3.7:20160115 | 9.3.7:rc0 | 9.3.7:rc1 | 9.3.8:20160311 | 9.3.8:20160314 | 9.3.8:rc0 | 9.3.9:20160517 | 9.3.9:maintenance_0 | 9.3.9:maintenance_1 | 9.3.10:20160621 | 9.3.10:maintenance_0 | 9.3.11:20160721 | 9.3.11:maintenance_0 | 9.3.12:20160915 | 9.3.13:20161014 | 9.3.13:maintenance_0 | 9.3.14:20161028 | 9.3.15:20161220 | 9.3.16:20170119 | 9.3.16:20170120 | 9.3.17:20170317 | 9.3.17:rc0 | 9.3.18:20170406 | 9.3.19:20170502 | 9.3.20:20170531 | 9.3.21:20170918 | 9.3.21:maintenance_0 | 9.3.21:rc0 | 9.3.22:20171030 | 9.3.23:20180228 | 9.3.24:20180605 | 9.3.25:20180904 | 9.3.26:20190403 | 9.4.0:20161207 | 9.4.0:20161208 | 9.4.0:20180619 | 9.4.0:maintenance_0 | 9.4.0:maintenance_1 | 9.4.0:rc0 | 9.4.0:rc1 | 9.4.0:rc2 | 9.4.0:rc3 | 9.4.1:20170120 | 9.4.1:20180619 | 9.4.2:20170220 | 9.4.2:20180619 | 9.4.3:20170317 | 9.4.3:20180619 | 9.4.4:20170410 | 9.4.4:20170414 | 9.4.4:20180619 | 9.4.5:20170502 | 9.4.5:20180619 | 9.4.6:20170531 | 9.4.6:20180619 | 9.4.7:20170914 | 9.4.7:20180619 | 9.4.7:rc0 | 9.4.8:20171121 | 9.4.8:20180619 | 9.4.9:20180320 | 9.4.10:20180503 | 9.4.10:rc0 | 9.4.10:rc1 | 9.4.11:20180605 | 9.4.12:20180830 | 9.4.12:rc0 | 9.4.12:rc1 | 9.4.12:rc2 | 9.4.13:20181111 | 9.4.14:20181114 | 9.4.15:20190215
- org.eclipse.jetty•jetty-server
≥ 7.0.0, < 9.2.28.v20190418 | ≥ 9.3.0, < 9.3.27.v20190418 | ≥ 9.4.0, < 9.4.17.v20190418
- netapp•element
na
- netapp•oncommand_system_manager
≥ 3.0, ≤ 3.1.3
- netapp•snap_creator_framework
na
- netapp•snapcenter
na
- netapp•snapmanager
na
- netapp•storage_replication_adapter_for_clustered_data_ontap
≥ 9.6
- netapp•storage_services_connector
na
- netapp•vasa_provider_for_clustered_data_ontap
≥ 9.6
- netapp•virtual_storage_console
≥ 9.6
- oracle•autovue
21.0.2
- oracle•communications_analytics
12.1.1
- oracle•communications_element_manager
8.0.0 | 8.1.0 | 8.1.1 | 8.2.0
- oracle•communications_services_gatekeeper
6.0 | 6.1 | 7.0
- oracle•communications_session_report_manager
8.0.0 | 8.1.0 | 8.1.1 | 8.2.0
- oracle•communications_session_route_manager
8.0.0 | 8.1.0 | 8.1.1 | 8.2.0
- oracle•data_integrator
12.2.1.3.0 | 12.2.1.4.0
- oracle•endeca_information_discovery_integrator
3.2.0
- oracle•enterprise_manager_base_platform
13.2 | 13.3
- oracle•flexcube_core_banking
≥ 11.5.0, ≤ 11.7.0 | 5.2.0
- oracle•flexcube_private_banking
12.0.0 | 12.1.0
- oracle•fmw_platform
12.2.1.3.0 | 12.2.1.4.0
- oracle•hospitality_guest_access
4.2.0 | 4.2.1
- oracle•retail_xstore_point_of_service
7.1 | 15.0 | 16.0 | 17.0
- oracle•unified_directory
12.2.1.3.0 | 12.2.1.4.0
- the eclipse foundation•eclipse jetty
≥ 7.0, < 8.0 | ≥ 8.0, < 9.0 | ≥ unspecified, ≤ 9.2.27 | ≥ unspecified, ≤ 9.3.26 | ≥ unspecified, ≤ 9.4.16
References (26)
- https://lists.apache.org/thread.html/ac51944aef91dd5006b8510b0bef337adaccfe962fb90e7af9c22db4%40%3Cissues.activemq.apache.org%3E
- https://lists.apache.org/thread.html/053d9ce4d579b02203db18545fee5e33f35f2932885459b74d1e4272%40%3Cissues.activemq.apache.org%3E
- https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3E
- https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3Cissues.drill.apache.org%3E
- https://lists.apache.org/thread.html/bcce5a9c532b386c68dab2f6b3ce8b0cc9b950ec551766e76391caa3%40%3Ccommits.nifi.apache.org%3E
- https://lists.apache.org/thread.html/rca37935d661f4689cb4119f1b3b224413b22be161b678e6e6ce0c69b%40%3Ccommits.nifi.apache.org%3E
- https://www.oracle.com/security-alerts/cpuapr2020.html
- https://www.oracle.com/security-alerts/cpujul2020.html
- https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
- https://www.oracle.com/security-alerts/cpujan2020.html
- https://security.netapp.com/advisory/ntap-20190509-0003/
- https://bugs.eclipse.org/bugs/show_bug.cgi?id=546577
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://www.oracle.com/security-alerts/cpujan2021.html
- https://lists.debian.org/debian-lts-announce/2021/05/msg00016.html
- https://www.oracle.com/security-alerts/cpuApr2021.html
- https://www.debian.org/security/2021/dsa-4949
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://nvd.nist.gov/vuln/detail/CVE-2019-10247
- https://security.netapp.com/advisory/ntap-20190509-0003
- https://lists.apache.org/thread.html/rca37935d661f4689cb4119f1b3b224413b22be161b678e6e6ce0c69b@%3Ccommits.nifi.apache.org%3E
- https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E
- https://lists.apache.org/thread.html/bcce5a9c532b386c68dab2f6b3ce8b0cc9b950ec551766e76391caa3@%3Ccommits.nifi.apache.org%3E
- https://lists.apache.org/thread.html/ac51944aef91dd5006b8510b0bef337adaccfe962fb90e7af9c22db4@%3Cissues.activemq.apache.org%3E
- https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E
- https://lists.apache.org/thread.html/053d9ce4d579b02203db18545fee5e33f35f2932885459b74d1e4272@%3Cissues.activemq.apache.org%3E