Information Disclosure Vulnerability in Eclipse Jetty
CVE-2019-17632

6.1MEDIUM

Key Information:

Vendor: The Eclipse Foundation
Status: Eclipse Jetty
Vendor: CVE Published:; 25 November 2019

What is CVE-2019-17632?

In specific versions of Eclipse Jetty, the system generates error responses in HTML and JSON formats that do not properly escape exception messages contained in stack traces. This oversight can lead to potentially sensitive information being revealed in error outputs, which could be exploited by an attacker to gather insights about the server or application behavior.

Affected Version(s)

Eclipse Jetty 9.4.21.v20190926

Eclipse Jetty 9.4.22.v20191022

Eclipse Jetty 9.4.23.v20191118

References

https://lists.fedoraproject.org/archives/list/package-ann...

vendor-advisoryx_refsource_FEDORA

https://www.oracle.com/security-alerts/cpuoct2020.html

x_refsource_MISC

https://bugs.eclipse.org/bugs/show_bug.cgi?id=553443

x_refsource_CONFIRM

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Nov 25, 2019
Vulnerability Reserved
Oct 16, 2019

Credit

This vulnerability was discovered by Jon Are Rakvåg, Security architect, SpareBank 1 Utvikling and Erlend Leiknes, Security Consultant, mnemonic as