National Vulnerability Database

National Vulnerability Database

National Vulnerability
Database

CVE-2019-10241 Detail

Current Description

In Eclipse Jetty version 9.2.26 and older, 9.3.25 and older, and 9.4.15 and older, the server is vulnerable to XSS conditions if a remote client USES a specially formatted URL against the DefaultServlet or ResourceHandler that is configured for showing a Listing of directory contents.

Source:  MITRE
Description Last Modified:  04/22/2019
View Analysis Description

Impact

CVSS v3.0 Severity and Metrics:

Base Score: 6.1 MEDIUM
Vector: AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N (V3 legend)
Impact Score: 2.7
Exploitability Score: 2.8


Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): Required
Scope (S): Changed
Confidentiality (C): Low
Integrity (I): Low
Availability (A): None

CVSS v2.0 Severity and Metrics:

Base Score: 4.3 MEDIUM
Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N) (V2 legend)
Impact Subscore: 2.9
Exploitability Subscore: 8.6


Access Vector (AV): Network
Access Complexity (AC): Medium
Authentication (AU): None
Confidentiality (C): None
Integrity (I): Partial
Availability (A): None
Additional Information:
Victim must voluntarily interact with attack mechanism
Allows unauthorized modification

References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to nvd@nist.gov.

Hyperlink Resource
https://bugs.eclipse.org/bugs/show_bug.cgi?id=546121 Issue Tracking Vendor Advisory
https://lists.apache.org/thread.html/01e004c3f7c7365863a27e7038b7f32dae56ccf3a496b277c9b7f7b6@%3Cjira.kafka.apache.org%3E Third Party Advisory
https://lists.apache.org/thread.html/464892b514c029dfc0c8656a93e1c0de983c473df70fdadbd224e09f@%3Cjira.kafka.apache.org%3E Mailing List Third Party Advisory
https://lists.apache.org/thread.html/8bff534863c7aaf09bb17c3d0532777258dd3a5c7ddda34198cc2742@%3Cdev.kafka.apache.org%3E Third Party Advisory
https://lists.apache.org/thread.html/bcfb37bfba7b3d7e9c7808b5e5a38a98d6bb714d52cf5162bdd48e32@%3Cjira.kafka.apache.org%3E Third Party Advisory
https://lists.apache.org/thread.html/d7c4a664a34853f57c2163ab562f39802df5cf809523ea40c97289c1@%3Cdev.kafka.apache.org%3E Mailing List Third Party Advisory
https://security.netapp.com/advisory/ntap-20190509-0003/ Third Party Advisory

Technical Details

Vulnerability Type (View All)

  • Cross-Site Scripting (XSS) (CWE-79)

Known Affected Software Configurations Switch to CPE 2.3

Configuration 1 ( hide )
 cpe:/a:eclipse:jetty:9.2.0:20140523
     Show Matching CPE(s)
 cpe:/a:eclipse:jetty:9.2.0:20140526
     Show Matching CPE(s)
 cpe:/a:eclipse:jetty:9.2.0:maintenance_0
     Show Matching CPE(s)
 cpe:/a:eclipse:jetty:9.2.0:maintenance_1
     Show Matching CPE(s)
 cpe:/a:eclipse:jetty:9.2.0:rc0
     Show Matching CPE(s)
 cpe:/a:eclipse:jetty:9.2.1:20140609
     Show Matching CPE(s)
 cpe:/a:eclipse:jetty:9.2.2:20140723
     Show Matching CPE(s)
 cpe:/a:eclipse:jetty:9.2.3:20140905
     Show Matching CPE(s)
 cpe:/a:eclipse:jetty:9.2.4:20141103
     Show Matching CPE(s)
 cpe:/a:eclipse:jetty:9.2.5:20141112
     Show Matching CPE(s)
 cpe:/a:eclipse:jetty:9.2.6:20141203
     Show Matching CPE(s)
 cpe:/a:eclipse:jetty:9.2.6:20141205
     Show Matching CPE(s)
 cpe:/a:eclipse:jetty:9.2.7:20150116
     Show Matching CPE(s)
 cpe:/a:eclipse:jetty:9.2.8:20150217
     Show Matching CPE(s)
 cpe:/a:eclipse:jetty:9.2.9:20150224
     Show Matching CPE(s)
 cpe:/a:eclipse:jetty:9.2.10:20150310
     Show Matching CPE(s)
 cpe:/a:eclipse:jetty:9.2.11:20150528
     Show Matching CPE(s)
 cpe:/a:eclipse:jetty:9.2.11:20150529
     Show Matching CPE(s)
 cpe:/a:eclipse:jetty:9.2.11:maintenance_0
     Show Matching CPE(s)
 cpe:/a:eclipse:jetty:9.2.12:20150709
     Show Matching CPE(s)
 cpe:/a:eclipse:jetty:9.2.12:maintenance_0
     Show Matching CPE(s)
 cpe:/a:eclipse:jetty:9.2.13:20150730
     Show Matching CPE(s)
 cpe:/a:eclipse:jetty:9.2.14:20151106
     Show Matching CPE(s)
 cpe:/a:eclipse:jetty:9.2.15:20160210
     Show Matching CPE(s)
 cpe:/a:eclipse:jetty:9.2.16:20160407
     Show Matching CPE(s)
 cpe:/a:eclipse:jetty:9.2.16:20160414
     Show Matching CPE(s)
 cpe:/a:eclipse:jetty:9.2.17:20160517
     Show Matching CPE(s)
 cpe:/a:eclipse:jetty:9.2.18:20160721
     Show Matching CPE(s)
 cpe:/a:eclipse:jetty:9.2.19:20160908
     Show Matching CPE(s)
 cpe:/a:eclipse:jetty:9.2.20:20161216
     Show Matching CPE(s)
 cpe:/a:eclipse:jetty:9.2.21:20170120
     Show Matching CPE(s)
 cpe:/a:eclipse:jetty:9.2.22:20170606
     Show Matching CPE(s)
 cpe:/a:eclipse:jetty:9.2.23:20171218
     Show Matching CPE(s)
 cpe:/a:eclipse:jetty:9.2.24:20180105
     Show Matching CPE(s)
 cpe:/a:eclipse:jetty:9.2.25:20180606
     Show Matching CPE(s)
 cpe:/a:eclipse:jetty:9.2.26:20180806
     Show Matching CPE(s)
 cpe:/a:eclipse:jetty:9.3.0:20150601
     Show Matching CPE(s)
 cpe:/a:eclipse:jetty:9.3.0:20150608
     Show Matching CPE(s)
 cpe:/a:eclipse:jetty:9.3.0:20150612
     Show Matching CPE(s)
 cpe:/a:eclipse:jetty:9.3.0:m2
     Show Matching CPE(s)
 cpe:/a:eclipse:jetty:9.3.0:maintenance_0
     Show Matching CPE(s)
 cpe:/a:eclipse:jetty:9.3.0:maintenance_1
     Show Matching CPE(s)
 cpe:/a:eclipse:jetty:9.3.0:rc0
     Show Matching CPE(s)
 cpe:/a:eclipse:jetty:9.3.0:rc1
     Show Matching CPE(s)
 cpe:/a:eclipse:jetty:9.3.1:20150714
     Show Matching CPE(s)
 cpe:/a:eclipse:jetty:9.3.2:20150730
     Show Matching CPE(s)
 cpe:/a:eclipse:jetty:9.3.3:20150825
     Show Matching CPE(s)
 cpe:/a:eclipse:jetty:9.3.3:20150827
     Show Matching CPE(s)
 cpe:/a:eclipse:jetty:9.3.4:20151005
     Show Matching CPE(s)
 cpe:/a:eclipse:jetty:9.3.4:20151007
     Show Matching CPE(s)
 cpe:/a:eclipse:jetty:9.3.4:rc0
     Show Matching CPE(s)
 cpe:/a:eclipse:jetty:9.3.4:rc1
     Show Matching CPE(s)
 cpe:/a:eclipse:jetty:9.3.5:20151012
     Show Matching CPE(s)
 cpe:/a:eclipse:jetty:9.3.6:20151106
     Show Matching CPE(s)
 cpe:/a:eclipse:jetty:9.3.7:20160115
     Show Matching CPE(s)
 cpe:/a:eclipse:jetty:9.3.7:rc0
     Show Matching CPE(s)
 cpe:/a:eclipse:jetty:9.3.7:rc1
     Show Matching CPE(s)
 cpe:/a:eclipse:jetty:9.3.8:20160311
     Show Matching CPE(s)
 cpe:/a:eclipse:jetty:9.3.8:20160314
     Show Matching CPE(s)
 cpe:/a:eclipse:jetty:9.3.8:rc0
     Show Matching CPE(s)
 cpe:/a:eclipse:jetty:9.3.9:20160517
     Show Matching CPE(s)
 cpe:/a:eclipse:jetty:9.3.9:maintenance_0
     Show Matching CPE(s)
 cpe:/a:eclipse:jetty:9.3.9:maintenance_1
     Show Matching CPE(s)
 cpe:/a:eclipse:jetty:9.3.10:20160621
     Show Matching CPE(s)
 cpe:/a:eclipse:jetty:9.3.10:maintenance_0
     Show Matching CPE(s)
 cpe:/a:eclipse:jetty:9.3.11:20160721
     Show Matching CPE(s)
 cpe:/a:eclipse:jetty:9.3.11:maintenance_0
     Show Matching CPE(s)
 cpe:/a:eclipse:jetty:9.3.12:20160915
     Show Matching CPE(s)
 cpe:/a:eclipse:jetty:9.3.13:20161014
     Show Matching CPE(s)
 cpe:/a:eclipse:jetty:9.3.13:maintenance_0
     Show Matching CPE(s)
 cpe:/a:eclipse:jetty:9.3.14:20161028
     Show Matching CPE(s)
 cpe:/a:eclipse:jetty:9.3.15:20161220
     Show Matching CPE(s)
 cpe:/a:eclipse:jetty:9.3.16:20170119
     Show Matching CPE(s)
 cpe:/a:eclipse:jetty:9.3.16:20170120
     Show Matching CPE(s)
 cpe:/a:eclipse:jetty:9.3.17:20170317
     Show Matching CPE(s)
 cpe:/a:eclipse:jetty:9.3.17:rc0
     Show Matching CPE(s)
 cpe:/a:eclipse:jetty:9.3.18:20170406
     Show Matching CPE(s)
 cpe:/a:eclipse:jetty:9.3.19:20170502
     Show Matching CPE(s)
 cpe:/a:eclipse:jetty:9.3.20:20170531
     Show Matching CPE(s)
 cpe:/a:eclipse:jetty:9.3.21:20170918
     Show Matching CPE(s)
 cpe:/a:eclipse:jetty:9.3.21:maintenance_0
     Show Matching CPE(s)
 cpe:/a:eclipse:jetty:9.3.21:rc0
     Show Matching CPE(s)
 cpe:/a:eclipse:jetty:9.3.22:20171030
     Show Matching CPE(s)
 cpe:/a:eclipse:jetty:9.3.23:20180228
     Show Matching CPE(s)
 cpe:/a:eclipse:jetty:9.3.24:20180605
     Show Matching CPE(s)
 cpe:/a:eclipse:jetty:9.3.25:20180904
     Show Matching CPE(s)
 cpe:/a:eclipse:jetty:9.4.0:20161207
     Show Matching CPE(s)
 cpe:/a:eclipse:jetty:9.4.0:20161208
     Show Matching CPE(s)
 cpe:/a:eclipse:jetty:9.4.0:20180619
     Show Matching CPE(s)
 cpe:/a:eclipse:jetty:9.4.0:maintenance_0
     Show Matching CPE(s)
 cpe:/a:eclipse:jetty:9.4.0:maintenance_1
     Show Matching CPE(s)
 cpe:/a:eclipse:jetty:9.4.0:rc0
     Show Matching CPE(s)
 cpe:/a:eclipse:jetty:9.4.0:rc1
     Show Matching CPE(s)
 cpe:/a:eclipse:jetty:9.4.0:rc2
     Show Matching CPE(s)
 cpe:/a:eclipse:jetty:9.4.0:rc3
     Show Matching CPE(s)
 cpe:/a:eclipse:jetty:9.4.1:20170120
     Show Matching CPE(s)
 cpe:/a:eclipse:jetty:9.4.1:20180619
     Show Matching CPE(s)
 cpe:/a:eclipse:jetty:9.4.2:20170220
     Show Matching CPE(s)
 cpe:/a:eclipse:jetty:9.4.2:20180619
     Show Matching CPE(s)
 cpe:/a:eclipse:jetty:9.4.3:20170317
     Show Matching CPE(s)
 cpe:/a:eclipse:jetty:9.4.3:20180619
     Show Matching CPE(s)

Showing 100 of 125 CPEs, view all CPEs here.

Change History

6 change records found - show changes

Quick Info

CVE Dictionary Entry:
CVE-2019-10241
NVD Published Date:
04/22/2019
NVD Last Modified:
05/10/2019