CVE-2019-10246 – org.eclipse.jetty:jetty-server

Package

Manager: maven
Name: org.eclipse.jetty:jetty-server
Vulnerable Version: >=9.2.0 <9.2.28.v20190418 || >=9.3.0 <9.3.27.v20190418 || >=9.4.0 <9.4.17.v20190418

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.01235 pctl0.78435

Details

Information Exposure vulnerability in Eclipse Jetty In Eclipse Jetty version 9.2.27, 9.3.26, and 9.4.16, the server running on Windows is vulnerable to exposure of the fully qualified Base Resource directory name on Windows to a remote client when it is configured for showing a Listing of directory contents. This information reveal is restricted to only the content in the configured base resource directories.

Metadata

Created: 2019-04-23T16:07:18Z
Modified: 2021-04-23T20:21:47Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/04/GHSA-r28m-g6j9-r2h5/GHSA-r28m-g6j9-r2h5.json
CWE IDs: ["CWE-200", "CWE-213"]
Alternative ID: GHSA-r28m-g6j9-r2h5
Finding: F017
Auto approve: 1