Fluid Attacks Database

Description

Cross-site Scripting in Eclipse Jetty In Eclipse Jetty version 9.2.26 and older, 9.3.25 and older, and 9.4.15 and older, the server is vulnerable to XSS conditions if a remote client USES a specially formatted URL against the DefaultServlet or ResourceHandler that is configured for showing a Listing of directory contents.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 13	jetty9	>=0 <9.4.18-2	9.4.18-2
debian 14	jetty9	>=0 <9.4.18-2	9.4.18-2
debian 11	jetty9	>=0 <9.4.18-2	9.4.18-2
debian 12	jetty9	>=0 <9.4.18-2	9.4.18-2
maven	org.eclipse.jetty:jetty-http	>=9.2.0.m0 <=9.2.26.v20180806 \|\| >=9.3.0.m0 <=9.3.25.v20180904 \|\| >=9.4.0.m0 <=9.4.15.v20190215	9.2.27.v20190403, 9.3.26.v20190403, 9.4.16.v20190411
maven	org.eclipse.jetty:jetty-server	>=0 <9.2.27.v20190403 \|\| >=9.3.0 <9.3.26.v20190403 \|\| >=9.4.0 <9.4.16.v20190411	9.2.27.v20190403, 9.3.26.v20190403, 9.4.16.v20190411
rpm rhel6	jetty-eclipse	-	-
rpm rhel7	jetty	-	-

Aliases

1. CVE-2019-102412. NVD-2019-102413. OSV-DEBIAN-2019-102414. OSV-2019-102415. GCVE-2019-102416. SECURITY-TRACKER-CVE-2019-102417. lists.debian.org

References