Vulnerability Details CVE-2019-10247
In Eclipse Jetty version 7.x, 8.x, 9.2.27 and older, 9.3.26 and older, and 9.4.16 and older, the server running on any OS and Jetty version combination will reveal the configured fully qualified directory base resource location on the output of the 404 error for not finding a Context that matches the requested path. The default server behavior on jetty-distribution and jetty-home will include at the end of the Handler tree a DefaultHandler, which is responsible for reporting this 404 error, it presents the various configured contexts as HTML for users to click through to. This produced HTML includes output that contains the configured fully qualified directory base resource location for each context.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.021
EPSS Ranking 83.2%
CVSS Severity
CVSS v3 Score 5.3
CVSS v2 Score 5.0
References
- https://bugs.eclipse.org/bugs/show_bug.cgi?id=546577
- https://lists.apache.org/thread.html/053d9ce4d579b02203db18545fee5e33f35f2932885459b74d1e4272%40%3Cissues.activemq.apache.org%3E
- https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3E
- https://lists.apache.org/thread.html/ac51944aef91dd5006b8510b0bef337adaccfe962fb90e7af9c22db4%40%3Cissues.activemq.apache.org%3E
- https://lists.apache.org/thread.html/bcce5a9c532b386c68dab2f6b3ce8b0cc9b950ec551766e76391caa3%40%3Ccommits.nifi.apache.org%3E
- https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3Cissues.drill.apache.org%3E
- https://lists.apache.org/thread.html/rca37935d661f4689cb4119f1b3b224413b22be161b678e6e6ce0c69b%40%3Ccommits.nifi.apache.org%3E
- https://lists.debian.org/debian-lts-announce/2021/05/msg00016.html
- https://security.netapp.com/advisory/ntap-20190509-0003/
- https://www.debian.org/security/2021/dsa-4949
- https://www.oracle.com/security-alerts/cpuApr2021.html
- https://www.oracle.com/security-alerts/cpuapr2020.html
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpujan2020.html
- https://www.oracle.com/security-alerts/cpujan2021.html
- https://www.oracle.com/security-alerts/cpujul2020.html
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
- https://bugs.eclipse.org/bugs/show_bug.cgi?id=546577
- https://lists.apache.org/thread.html/053d9ce4d579b02203db18545fee5e33f35f2932885459b74d1e4272%40%3Cissues.activemq.apache.org%3E
- https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3E
- https://lists.apache.org/thread.html/ac51944aef91dd5006b8510b0bef337adaccfe962fb90e7af9c22db4%40%3Cissues.activemq.apache.org%3E
- https://lists.apache.org/thread.html/bcce5a9c532b386c68dab2f6b3ce8b0cc9b950ec551766e76391caa3%40%3Ccommits.nifi.apache.org%3E
- https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3Cissues.drill.apache.org%3E
- https://lists.apache.org/thread.html/rca37935d661f4689cb4119f1b3b224413b22be161b678e6e6ce0c69b%40%3Ccommits.nifi.apache.org%3E
- https://lists.debian.org/debian-lts-announce/2021/05/msg00016.html
- https://security.netapp.com/advisory/ntap-20190509-0003/
- https://www.debian.org/security/2021/dsa-4949
- https://www.oracle.com/security-alerts/cpuApr2021.html
- https://www.oracle.com/security-alerts/cpuapr2020.html
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpujan2020.html
- https://www.oracle.com/security-alerts/cpujan2021.html
- https://www.oracle.com/security-alerts/cpujul2020.html
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
Products affected by CVE-2019-10247
-
cpe:2.3:a:eclipse:jetty:7.0.0
-
cpe:2.3:a:eclipse:jetty:7.0.1
-
cpe:2.3:a:eclipse:jetty:7.0.2
-
cpe:2.3:a:eclipse:jetty:7.1.0
-
cpe:2.3:a:eclipse:jetty:7.1.1
-
cpe:2.3:a:eclipse:jetty:7.1.2
-
cpe:2.3:a:eclipse:jetty:7.1.3
-
cpe:2.3:a:eclipse:jetty:7.1.4
-
cpe:2.3:a:eclipse:jetty:7.1.5
-
cpe:2.3:a:eclipse:jetty:7.1.6
-
cpe:2.3:a:eclipse:jetty:7.2.0
-
cpe:2.3:a:eclipse:jetty:7.2.1
-
cpe:2.3:a:eclipse:jetty:7.2.2
-
cpe:2.3:a:eclipse:jetty:7.3.0
-
cpe:2.3:a:eclipse:jetty:7.3.1
-
cpe:2.3:a:eclipse:jetty:7.4.0
-
cpe:2.3:a:eclipse:jetty:7.4.1
-
cpe:2.3:a:eclipse:jetty:7.4.2
-
cpe:2.3:a:eclipse:jetty:7.4.3
-
cpe:2.3:a:eclipse:jetty:7.4.4
-
cpe:2.3:a:eclipse:jetty:7.4.5
-
cpe:2.3:a:eclipse:jetty:7.5.0
-
cpe:2.3:a:eclipse:jetty:7.5.1
-
cpe:2.3:a:eclipse:jetty:7.5.2
-
cpe:2.3:a:eclipse:jetty:7.5.3
-
cpe:2.3:a:eclipse:jetty:7.5.4
-
cpe:2.3:a:eclipse:jetty:7.6.0
-
cpe:2.3:a:eclipse:jetty:7.6.1
-
cpe:2.3:a:eclipse:jetty:7.6.10
-
cpe:2.3:a:eclipse:jetty:7.6.11
-
cpe:2.3:a:eclipse:jetty:7.6.12
-
cpe:2.3:a:eclipse:jetty:7.6.13
-
cpe:2.3:a:eclipse:jetty:7.6.14
-
cpe:2.3:a:eclipse:jetty:7.6.15
-
cpe:2.3:a:eclipse:jetty:7.6.16
-
cpe:2.3:a:eclipse:jetty:7.6.17
-
cpe:2.3:a:eclipse:jetty:7.6.18
-
cpe:2.3:a:eclipse:jetty:7.6.19
-
cpe:2.3:a:eclipse:jetty:7.6.2
-
cpe:2.3:a:eclipse:jetty:7.6.20
-
cpe:2.3:a:eclipse:jetty:7.6.21
-
cpe:2.3:a:eclipse:jetty:7.6.3
-
cpe:2.3:a:eclipse:jetty:7.6.4
-
cpe:2.3:a:eclipse:jetty:7.6.5
-
cpe:2.3:a:eclipse:jetty:7.6.6
-
cpe:2.3:a:eclipse:jetty:7.6.7
-
cpe:2.3:a:eclipse:jetty:7.6.8
-
cpe:2.3:a:eclipse:jetty:7.6.9
-
cpe:2.3:a:eclipse:jetty:8.0.0
-
cpe:2.3:a:eclipse:jetty:8.0.1
-
cpe:2.3:a:eclipse:jetty:8.0.2
-
cpe:2.3:a:eclipse:jetty:8.0.3
-
cpe:2.3:a:eclipse:jetty:8.0.4
-
cpe:2.3:a:eclipse:jetty:8.1.0
-
cpe:2.3:a:eclipse:jetty:8.1.1
-
cpe:2.3:a:eclipse:jetty:8.1.10
-
cpe:2.3:a:eclipse:jetty:8.1.11
-
cpe:2.3:a:eclipse:jetty:8.1.12
-
cpe:2.3:a:eclipse:jetty:8.1.13
-
cpe:2.3:a:eclipse:jetty:8.1.14
-
cpe:2.3:a:eclipse:jetty:8.1.15
-
cpe:2.3:a:eclipse:jetty:8.1.16
-
cpe:2.3:a:eclipse:jetty:8.1.17
-
cpe:2.3:a:eclipse:jetty:8.1.18
-
cpe:2.3:a:eclipse:jetty:8.1.19
-
cpe:2.3:a:eclipse:jetty:8.1.2
-
cpe:2.3:a:eclipse:jetty:8.1.20
-
cpe:2.3:a:eclipse:jetty:8.1.21
-
cpe:2.3:a:eclipse:jetty:8.1.22
-
cpe:2.3:a:eclipse:jetty:8.1.3
-
cpe:2.3:a:eclipse:jetty:8.1.4
-
cpe:2.3:a:eclipse:jetty:8.1.5
-
cpe:2.3:a:eclipse:jetty:8.1.6
-
cpe:2.3:a:eclipse:jetty:8.1.7
-
cpe:2.3:a:eclipse:jetty:8.1.8
-
cpe:2.3:a:eclipse:jetty:8.1.9
-
cpe:2.3:a:eclipse:jetty:8.2.0
-
cpe:2.3:a:eclipse:jetty:9.0.0
-
cpe:2.3:a:eclipse:jetty:9.0.1
-
cpe:2.3:a:eclipse:jetty:9.0.2
-
cpe:2.3:a:eclipse:jetty:9.0.3
-
cpe:2.3:a:eclipse:jetty:9.0.4
-
cpe:2.3:a:eclipse:jetty:9.0.5
-
cpe:2.3:a:eclipse:jetty:9.0.6
-
cpe:2.3:a:eclipse:jetty:9.0.7
-
cpe:2.3:a:eclipse:jetty:9.1.0
-
cpe:2.3:a:eclipse:jetty:9.1.1
-
cpe:2.3:a:eclipse:jetty:9.1.2
-
cpe:2.3:a:eclipse:jetty:9.1.3
-
cpe:2.3:a:eclipse:jetty:9.1.4
-
cpe:2.3:a:eclipse:jetty:9.1.5
-
cpe:2.3:a:eclipse:jetty:9.1.6
-
cpe:2.3:a:eclipse:jetty:9.2.0
-
cpe:2.3:a:eclipse:jetty:9.2.1
-
cpe:2.3:a:eclipse:jetty:9.2.10
-
cpe:2.3:a:eclipse:jetty:9.2.11
-
cpe:2.3:a:eclipse:jetty:9.2.12
-
cpe:2.3:a:eclipse:jetty:9.2.13
-
cpe:2.3:a:eclipse:jetty:9.2.14
-
cpe:2.3:a:eclipse:jetty:9.2.15
-
cpe:2.3:a:eclipse:jetty:9.2.16
-
cpe:2.3:a:eclipse:jetty:9.2.17
-
cpe:2.3:a:eclipse:jetty:9.2.18
-
cpe:2.3:a:eclipse:jetty:9.2.19
-
cpe:2.3:a:eclipse:jetty:9.2.2
-
cpe:2.3:a:eclipse:jetty:9.2.20
-
cpe:2.3:a:eclipse:jetty:9.2.21
-
cpe:2.3:a:eclipse:jetty:9.2.22
-
cpe:2.3:a:eclipse:jetty:9.2.23
-
cpe:2.3:a:eclipse:jetty:9.2.24
-
cpe:2.3:a:eclipse:jetty:9.2.25
-
cpe:2.3:a:eclipse:jetty:9.2.26
-
cpe:2.3:a:eclipse:jetty:9.2.27
-
cpe:2.3:a:eclipse:jetty:9.2.3
-
cpe:2.3:a:eclipse:jetty:9.2.4
-
cpe:2.3:a:eclipse:jetty:9.2.5
-
cpe:2.3:a:eclipse:jetty:9.2.6
-
cpe:2.3:a:eclipse:jetty:9.2.7
-
cpe:2.3:a:eclipse:jetty:9.2.8
-
cpe:2.3:a:eclipse:jetty:9.2.9
-
cpe:2.3:a:eclipse:jetty:9.3.0
-
cpe:2.3:a:eclipse:jetty:9.3.1
-
cpe:2.3:a:eclipse:jetty:9.3.10
-
cpe:2.3:a:eclipse:jetty:9.3.11
-
cpe:2.3:a:eclipse:jetty:9.3.12
-
cpe:2.3:a:eclipse:jetty:9.3.13
-
cpe:2.3:a:eclipse:jetty:9.3.14
-
cpe:2.3:a:eclipse:jetty:9.3.15
-
cpe:2.3:a:eclipse:jetty:9.3.16
-
cpe:2.3:a:eclipse:jetty:9.3.17
-
cpe:2.3:a:eclipse:jetty:9.3.18
-
cpe:2.3:a:eclipse:jetty:9.3.19
-
cpe:2.3:a:eclipse:jetty:9.3.2
-
cpe:2.3:a:eclipse:jetty:9.3.20
-
cpe:2.3:a:eclipse:jetty:9.3.21
-
cpe:2.3:a:eclipse:jetty:9.3.22
-
cpe:2.3:a:eclipse:jetty:9.3.23
-
cpe:2.3:a:eclipse:jetty:9.3.24
-
cpe:2.3:a:eclipse:jetty:9.3.25
-
cpe:2.3:a:eclipse:jetty:9.3.26
-
cpe:2.3:a:eclipse:jetty:9.3.3
-
cpe:2.3:a:eclipse:jetty:9.3.4
-
cpe:2.3:a:eclipse:jetty:9.3.5
-
cpe:2.3:a:eclipse:jetty:9.3.6
-
cpe:2.3:a:eclipse:jetty:9.3.7
-
cpe:2.3:a:eclipse:jetty:9.3.8
-
cpe:2.3:a:eclipse:jetty:9.3.9
-
cpe:2.3:a:eclipse:jetty:9.4.0
-
cpe:2.3:a:eclipse:jetty:9.4.1
-
cpe:2.3:a:eclipse:jetty:9.4.10
-
cpe:2.3:a:eclipse:jetty:9.4.11
-
cpe:2.3:a:eclipse:jetty:9.4.12
-
cpe:2.3:a:eclipse:jetty:9.4.13
-
cpe:2.3:a:eclipse:jetty:9.4.14
-
cpe:2.3:a:eclipse:jetty:9.4.15
-
cpe:2.3:a:eclipse:jetty:9.4.2
-
cpe:2.3:a:eclipse:jetty:9.4.3
-
cpe:2.3:a:eclipse:jetty:9.4.4
-
cpe:2.3:a:eclipse:jetty:9.4.5
-
cpe:2.3:a:eclipse:jetty:9.4.6
-
cpe:2.3:a:eclipse:jetty:9.4.7
-
cpe:2.3:a:eclipse:jetty:9.4.8
-
cpe:2.3:a:eclipse:jetty:9.4.9
-
cpe:2.3:a:netapp:oncommand_system_manager:3.0
-
cpe:2.3:a:netapp:oncommand_system_manager:3.0.0
-
cpe:2.3:a:netapp:oncommand_system_manager:3.1
-
cpe:2.3:a:netapp:oncommand_system_manager:3.1.1
-
cpe:2.3:a:netapp:oncommand_system_manager:3.1.2
-
cpe:2.3:a:netapp:oncommand_system_manager:3.1.3
-
cpe:2.3:a:netapp:snap_creator_framework:-
-
cpe:2.3:a:netapp:snapcenter:-
-
cpe:2.3:a:netapp:snapmanager:-
-
cpe:2.3:a:netapp:storage_replication_adapter_for_clustered_data_ontap:9.6
-
cpe:2.3:a:netapp:storage_replication_adapter_for_clustered_data_ontap:9.7
-
cpe:2.3:a:netapp:storage_services_connector:-
-
cpe:2.3:a:netapp:vasa_provider_for_clustered_data_ontap:9.6
-
cpe:2.3:a:netapp:vasa_provider_for_clustered_data_ontap:9.7
-
cpe:2.3:a:netapp:virtual_storage_console:9.6
-
cpe:2.3:a:netapp:virtual_storage_console:9.7
-
cpe:2.3:a:oracle:autovue:21.0.2
-
cpe:2.3:a:oracle:communications_analytics:12.1.1
-
cpe:2.3:a:oracle:communications_element_manager:8.0.0
-
cpe:2.3:a:oracle:communications_element_manager:8.1.0
-
cpe:2.3:a:oracle:communications_element_manager:8.1.1
-
cpe:2.3:a:oracle:communications_element_manager:8.2.0
-
cpe:2.3:a:oracle:communications_services_gatekeeper:6.0
-
cpe:2.3:a:oracle:communications_services_gatekeeper:6.1
-
cpe:2.3:a:oracle:communications_services_gatekeeper:7.0
-
cpe:2.3:a:oracle:communications_session_report_manager:8.0.0
-
cpe:2.3:a:oracle:communications_session_report_manager:8.1.0
-
cpe:2.3:a:oracle:communications_session_report_manager:8.1.1
-
cpe:2.3:a:oracle:communications_session_report_manager:8.2.0
-
cpe:2.3:a:oracle:communications_session_route_manager:8.0.0
-
cpe:2.3:a:oracle:communications_session_route_manager:8.1.0
-
cpe:2.3:a:oracle:communications_session_route_manager:8.1.1
-
cpe:2.3:a:oracle:communications_session_route_manager:8.2.0
-
cpe:2.3:a:oracle:data_integrator:12.2.1.3.0
-
cpe:2.3:a:oracle:data_integrator:12.2.1.4.0
-
cpe:2.3:a:oracle:endeca_information_discovery_integrator:3.2.0
-
cpe:2.3:a:oracle:enterprise_manager_base_platform:13.2
-
cpe:2.3:a:oracle:enterprise_manager_base_platform:13.3
-
cpe:2.3:a:oracle:flexcube_core_banking:11.5.0
-
cpe:2.3:a:oracle:flexcube_core_banking:11.6.0
-
cpe:2.3:a:oracle:flexcube_core_banking:11.7.0
-
cpe:2.3:a:oracle:flexcube_core_banking:5.2.0
-
cpe:2.3:a:oracle:flexcube_private_banking:12.0.0
-
cpe:2.3:a:oracle:flexcube_private_banking:12.1.0
-
cpe:2.3:a:oracle:fmw_platform:12.2.1.3.0
-
cpe:2.3:a:oracle:fmw_platform:12.2.1.4.0
-
cpe:2.3:a:oracle:hospitality_guest_access:4.2.0
-
cpe:2.3:a:oracle:hospitality_guest_access:4.2.1
-
cpe:2.3:a:oracle:retail_xstore_point_of_service:15.0
-
cpe:2.3:a:oracle:retail_xstore_point_of_service:16.0
-
cpe:2.3:a:oracle:retail_xstore_point_of_service:17.0
-
cpe:2.3:a:oracle:retail_xstore_point_of_service:7.1
-
cpe:2.3:a:oracle:unified_directory:12.2.1.3.0
-
cpe:2.3:a:oracle:unified_directory:12.2.1.4.0
-
cpe:2.3:o:debian:debian_linux:10.0
-
cpe:2.3:o:debian:debian_linux:9.0
-
cpe:2.3:o:netapp:element:-