CVE-2019-17632 – org.eclipse.jetty:jetty-server

Package

Manager: maven
Name: org.eclipse.jetty:jetty-server
Vulnerable Version: =9.4.21.v20190926 || >=9.4.21.v20190926 <9.4.24.v20191120 || =9.4.22.v20191022 || >=9.4.22.v20191022 <9.4.24.v20191120 || =9.4.23.v20191118 || >=9.4.23.v20191118 <9.4.24.v20191120

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: 0.01117 pctl0.77384

Details

Unescaped exception messages in error responses in Jetty In Eclipse Jetty versions 9.4.21.v20190926, 9.4.22.v20191022, and 9.4.23.v20191118, the generation of default unhandled Error response content (in text/html and text/json Content-Type) does not escape Exception messages in stacktraces included in error output.

Metadata

Created: 2019-12-02T18:13:28Z
Modified: 2021-06-15T17:23:03Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/12/GHSA-5h9j-q6j2-253f/GHSA-5h9j-q6j2-253f.json
CWE IDs: ["CWE-79"]
Alternative ID: GHSA-5h9j-q6j2-253f
Finding: F008
Auto approve: 1