Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2019-10241

In Eclipse Jetty version 9.2.26 and older, 9.3.25 and older, and 9.4.15 and older, the server is vulnerable to XSS conditions if a remote client USES a specially formatted URL against the DefaultServlet or ResourceHandler that is configured for showing a Listing of directory contents.

Published

2019-04-22T20:29:00.243

Last Modified

2024-11-21T04:18:43.417

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 6.1 (MEDIUM)

CVSSv2 Vector

AV:N/AC:M/Au:N/C:N/I:P/A:N

Access Vector: NETWORK
Access Complexity: MEDIUM
Authentication: NONE
Confidentiality Impact: NONE
Integrity Impact: PARTIAL
Availability Impact: NONE

Exploitability Score

8.6

Impact Score

2.9

Weaknesses

Type: Secondary
CWE-79
Type: Primary
CWE-79

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	eclipse	jetty	9.2.0	Yes
Application	eclipse	jetty	9.2.0	Yes
Application	eclipse	jetty	9.2.0	Yes
Application	eclipse	jetty	9.2.0	Yes
Application	eclipse	jetty	9.2.0	Yes
Application	eclipse	jetty	9.2.1	Yes
Application	eclipse	jetty	9.2.2	Yes
Application	eclipse	jetty	9.2.3	Yes
Application	eclipse	jetty	9.2.4	Yes
Application	eclipse	jetty	9.2.5	Yes
Application	eclipse	jetty	9.2.6	Yes
Application	eclipse	jetty	9.2.6	Yes
Application	eclipse	jetty	9.2.7	Yes
Application	eclipse	jetty	9.2.8	Yes
Application	eclipse	jetty	9.2.9	Yes
Application	eclipse	jetty	9.2.10	Yes
Application	eclipse	jetty	9.2.11	Yes
Application	eclipse	jetty	9.2.11	Yes
Application	eclipse	jetty	9.2.11	Yes
Application	eclipse	jetty	9.2.12	Yes
Application	eclipse	jetty	9.2.12	Yes
Application	eclipse	jetty	9.2.13	Yes
Application	eclipse	jetty	9.2.14	Yes
Application	eclipse	jetty	9.2.15	Yes
Application	eclipse	jetty	9.2.16	Yes
Application	eclipse	jetty	9.2.16	Yes
Application	eclipse	jetty	9.2.17	Yes
Application	eclipse	jetty	9.2.18	Yes
Application	eclipse	jetty	9.2.19	Yes
Application	eclipse	jetty	9.2.20	Yes
Application	eclipse	jetty	9.2.21	Yes
Application	eclipse	jetty	9.2.22	Yes
Application	eclipse	jetty	9.2.23	Yes
Application	eclipse	jetty	9.2.24	Yes
Application	eclipse	jetty	9.2.25	Yes
Application	eclipse	jetty	9.2.26	Yes
Application	eclipse	jetty	9.3.0	Yes
Application	eclipse	jetty	9.3.0	Yes
Application	eclipse	jetty	9.3.0	Yes
Application	eclipse	jetty	9.3.0	Yes
Application	eclipse	jetty	9.3.0	Yes
Application	eclipse	jetty	9.3.0	Yes
Application	eclipse	jetty	9.3.0	Yes
Application	eclipse	jetty	9.3.0	Yes
Application	eclipse	jetty	9.3.1	Yes
Application	eclipse	jetty	9.3.2	Yes
Application	eclipse	jetty	9.3.3	Yes
Application	eclipse	jetty	9.3.3	Yes
Application	eclipse	jetty	9.3.4	Yes
Application	eclipse	jetty	9.3.4	Yes
Application	eclipse	jetty	9.3.4	Yes
Application	eclipse	jetty	9.3.4	Yes
Application	eclipse	jetty	9.3.5	Yes
Application	eclipse	jetty	9.3.6	Yes
Application	eclipse	jetty	9.3.7	Yes
Application	eclipse	jetty	9.3.7	Yes
Application	eclipse	jetty	9.3.7	Yes
Application	eclipse	jetty	9.3.8	Yes
Application	eclipse	jetty	9.3.8	Yes
Application	eclipse	jetty	9.3.8	Yes
Application	eclipse	jetty	9.3.9	Yes
Application	eclipse	jetty	9.3.9	Yes
Application	eclipse	jetty	9.3.9	Yes
Application	eclipse	jetty	9.3.10	Yes
Application	eclipse	jetty	9.3.10	Yes
Application	eclipse	jetty	9.3.11	Yes
Application	eclipse	jetty	9.3.11	Yes
Application	eclipse	jetty	9.3.12	Yes
Application	eclipse	jetty	9.3.13	Yes
Application	eclipse	jetty	9.3.13	Yes
Application	eclipse	jetty	9.3.14	Yes
Application	eclipse	jetty	9.3.15	Yes
Application	eclipse	jetty	9.3.16	Yes
Application	eclipse	jetty	9.3.16	Yes
Application	eclipse	jetty	9.3.17	Yes
Application	eclipse	jetty	9.3.17	Yes
Application	eclipse	jetty	9.3.18	Yes
Application	eclipse	jetty	9.3.19	Yes
Application	eclipse	jetty	9.3.20	Yes
Application	eclipse	jetty	9.3.21	Yes
Application	eclipse	jetty	9.3.21	Yes
Application	eclipse	jetty	9.3.21	Yes
Application	eclipse	jetty	9.3.22	Yes
Application	eclipse	jetty	9.3.23	Yes
Application	eclipse	jetty	9.3.24	Yes
Application	eclipse	jetty	9.3.25	Yes
Application	eclipse	jetty	9.4.0	Yes
Application	eclipse	jetty	9.4.0	Yes
Application	eclipse	jetty	9.4.0	Yes
Application	eclipse	jetty	9.4.0	Yes
Application	eclipse	jetty	9.4.0	Yes
Application	eclipse	jetty	9.4.0	Yes
Application	eclipse	jetty	9.4.0	Yes
Application	eclipse	jetty	9.4.0	Yes
Application	eclipse	jetty	9.4.0	Yes
Application	eclipse	jetty	9.4.1	Yes
Application	eclipse	jetty	9.4.1	Yes
Application	eclipse	jetty	9.4.2	Yes
Application	eclipse	jetty	9.4.2	Yes
Application	eclipse	jetty	9.4.3	Yes
Application	eclipse	jetty	9.4.3	Yes
Application	eclipse	jetty	9.4.4	Yes
Application	eclipse	jetty	9.4.4	Yes
Application	eclipse	jetty	9.4.4	Yes
Application	eclipse	jetty	9.4.5	Yes
Application	eclipse	jetty	9.4.5	Yes
Application	eclipse	jetty	9.4.6	Yes
Application	eclipse	jetty	9.4.6	Yes
Application	eclipse	jetty	9.4.7	Yes
Application	eclipse	jetty	9.4.7	Yes
Application	eclipse	jetty	9.4.7	Yes
Application	eclipse	jetty	9.4.8	Yes
Application	eclipse	jetty	9.4.8	Yes
Application	eclipse	jetty	9.4.9	Yes
Application	eclipse	jetty	9.4.10	Yes
Application	eclipse	jetty	9.4.10	Yes
Application	eclipse	jetty	9.4.10	Yes
Application	eclipse	jetty	9.4.11	Yes
Application	eclipse	jetty	9.4.12	Yes
Application	eclipse	jetty	9.4.12	Yes
Application	eclipse	jetty	9.4.12	Yes
Application	eclipse	jetty	9.4.12	Yes
Application	eclipse	jetty	9.4.13	Yes
Application	eclipse	jetty	9.4.14	Yes
Application	eclipse	jetty	9.4.15	Yes
Operating System	debian	debian_linux	9.0	Yes
Operating System	debian	debian_linux	10.0	Yes
Application	apache	activemq	5.15.9	Yes
Application	apache	drill	1.16.0	Yes
Application	oracle	flexcube_core_banking	≤ 11.7.0	Yes
Application	oracle	flexcube_core_banking	5.2.0	Yes
Application	oracle	rest_data_services	11.2.0.4	Yes
Application	oracle	rest_data_services	12.1.0.2	Yes
Application	oracle	rest_data_services	12.2.0.1	Yes
Application	oracle	rest_data_services	18c	Yes
Application	oracle	retail_xstore_point_of_service	7.1	Yes
Application	oracle	retail_xstore_point_of_service	15.0	Yes
Application	oracle	retail_xstore_point_of_service	16.0	Yes
Application	oracle	retail_xstore_point_of_service	17.0	Yes

References

https://bugs.eclipse.org/bugs/show_bug.cgi?id=546121 Issue Tracking, Vendor Advisory ([email protected])
https://lists.apache.org/thread.html/01e004c3f7c7365863a27e7038b7f32dae56ccf3a496b277c9b7f7b6%40%3Cjira.kafka.apache.org%3E ([email protected])
https://lists.apache.org/thread.html/053d9ce4d579b02203db18545fee5e33f35f2932885459b74d1e4272%40%3Cissues.activemq.apache.org%3E ([email protected])
https://lists.apache.org/thread.html/464892b514c029dfc0c8656a93e1c0de983c473df70fdadbd224e09f%40%3Cjira.kafka.apache.org%3E ([email protected])
https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3E ([email protected])
https://lists.apache.org/thread.html/8bff534863c7aaf09bb17c3d0532777258dd3a5c7ddda34198cc2742%40%3Cdev.kafka.apache.org%3E ([email protected])
https://lists.apache.org/thread.html/ac51944aef91dd5006b8510b0bef337adaccfe962fb90e7af9c22db4%40%3Cissues.activemq.apache.org%3E ([email protected])
https://lists.apache.org/thread.html/bcfb37bfba7b3d7e9c7808b5e5a38a98d6bb714d52cf5162bdd48e32%40%3Cjira.kafka.apache.org%3E ([email protected])
https://lists.apache.org/thread.html/d7c4a664a34853f57c2163ab562f39802df5cf809523ea40c97289c1%40%3Cdev.kafka.apache.org%3E ([email protected])
https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3Cissues.drill.apache.org%3E ([email protected])
https://lists.debian.org/debian-lts-announce/2021/05/msg00016.html Mailing List, Third Party Advisory ([email protected])
https://security.netapp.com/advisory/ntap-20190509-0003/ Third Party Advisory ([email protected])
https://www.debian.org/security/2021/dsa-4949 Third Party Advisory ([email protected])
https://www.oracle.com/security-alerts/cpuoct2020.html Patch, Third Party Advisory ([email protected])
https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html Patch, Third Party Advisory ([email protected])
https://bugs.eclipse.org/bugs/show_bug.cgi?id=546121 Issue Tracking, Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://lists.apache.org/thread.html/01e004c3f7c7365863a27e7038b7f32dae56ccf3a496b277c9b7f7b6%40%3Cjira.kafka.apache.org%3E (af854a3a-2127-422b-91ae-364da2661108)
https://lists.apache.org/thread.html/053d9ce4d579b02203db18545fee5e33f35f2932885459b74d1e4272%40%3Cissues.activemq.apache.org%3E (af854a3a-2127-422b-91ae-364da2661108)
https://lists.apache.org/thread.html/464892b514c029dfc0c8656a93e1c0de983c473df70fdadbd224e09f%40%3Cjira.kafka.apache.org%3E (af854a3a-2127-422b-91ae-364da2661108)
https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3E (af854a3a-2127-422b-91ae-364da2661108)
https://lists.apache.org/thread.html/8bff534863c7aaf09bb17c3d0532777258dd3a5c7ddda34198cc2742%40%3Cdev.kafka.apache.org%3E (af854a3a-2127-422b-91ae-364da2661108)
https://lists.apache.org/thread.html/ac51944aef91dd5006b8510b0bef337adaccfe962fb90e7af9c22db4%40%3Cissues.activemq.apache.org%3E (af854a3a-2127-422b-91ae-364da2661108)
https://lists.apache.org/thread.html/bcfb37bfba7b3d7e9c7808b5e5a38a98d6bb714d52cf5162bdd48e32%40%3Cjira.kafka.apache.org%3E (af854a3a-2127-422b-91ae-364da2661108)
https://lists.apache.org/thread.html/d7c4a664a34853f57c2163ab562f39802df5cf809523ea40c97289c1%40%3Cdev.kafka.apache.org%3E (af854a3a-2127-422b-91ae-364da2661108)
https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3Cissues.drill.apache.org%3E (af854a3a-2127-422b-91ae-364da2661108)
https://lists.debian.org/debian-lts-announce/2021/05/msg00016.html Mailing List, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://security.netapp.com/advisory/ntap-20190509-0003/ Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://www.debian.org/security/2021/dsa-4949 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://www.oracle.com/security-alerts/cpuoct2020.html Patch, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html Patch, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)