Directory Listing Information Exposure in Eclipse Jetty Server on Windows
CVE-2019-10246

5.3MEDIUM

Key Information:

Vendor

The Eclipse Foundation

Status
Eclipse Jetty
Vendor
CVE Published:
22 April 2019

What is CVE-2019-10246?

A vulnerability exists in versions 9.2.27, 9.3.26, and 9.4.16 of the Eclipse Jetty server that may allow a remote client to access the fully qualified base resource directory name when directory listings are enabled. This exposure is confined to the configured base resource directories, which may lead to unintended information disclosure for sensitive directory structures.

Affected Version(s)

Eclipse Jetty 9.2.27

Eclipse Jetty 9.3.26

Eclipse Jetty 9.4.16

References

https://lists.apache.org/thread.html/bcce5a9c532b386c68da...
mailing-listx_refsource_MLIST
https://lists.apache.org/thread.html/rca37935d661f4689cb4...
mailing-listx_refsource_MLIST
https://www.oracle.com/security-alerts/cpuapr2020.html
x_refsource_MISC

CVSS V3.1

Score:
5.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.
The Cyber Security Vulnerability Database.