Fluid Attacks Database

Description

Unescaped exception messages in error responses in Jetty In Eclipse Jetty versions 9.4.21.v20190926, 9.4.22.v20191022, and 9.4.23.v20191118, the generation of default unhandled Error response content (in text/html and text/json Content-Type) does not escape Exception messages in stacktraces included in error output.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
maven	org.eclipse.jetty:jetty-server	=9.4.21.v20190926 \|\| >=9.4.21.v20190926 <9.4.24.v20191120 \|\| =9.4.22.v20191022 \|\| >=9.4.22.v20191022 <9.4.24.v20191120 \|\| =9.4.23.v20191118 \|\| >=9.4.23.v20191118 <9.4.24.v20191120	9.4.24.v20191120, 9.4.24.v20191120, 9.4.24.v20191120
debian 14	jetty9	>=0 <9.4.26-1	9.4.26-1
debian 11	jetty9	>=0 <9.4.26-1	9.4.26-1
maven	org.eclipse.jetty:jetty-http	>=9.4.21.v20190926 <=9.4.23.v20191118	9.4.24.v20191120
debian 12	jetty9	>=0 <9.4.26-1	9.4.26-1
debian 13	jetty9	>=0 <9.4.26-1	9.4.26-1

Aliases

1. CVE-2019-176322. NVD-2019-176323. OSV-2019-176324. OSV-DEBIAN-2019-176325. GCVE-2019-176326. SECURITY-TRACKER-CVE-2019-17632

References

1. https://bugs.eclipse.org/bugs/show_bug.cgi?id=5534432. https://lists.fedoraproject.org/archives/list/[email protected]/message/SAITZ27GKPD2CCNHGT2VBT4VWIBUJJNS3. https://www.oracle.com/security-alerts/cpuApr2021.html4. https://www.oracle.com/security-alerts/cpuoct2020.html