CVE-2019-10241

In Eclipse Jetty version 9.2.26 and older, 9.3.25 and older, and 9.4.15 and older, the server is vulnerable to XSS conditions if a remote client USES a specially formatted URL against the DefaultServlet or ResourceHandler that is configured for showing a Listing of directory contents.

CVSS v3 6.1 MEDIUM
CVSS v2.0 4.3 MEDIUM

6.1^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

4.3^/10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:M/Au:N/C:N/I:P/A:N

Exploitability : 8.6 / Impact : 2.9

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

References

Link	Resource
https://bugs.eclipse.org/bugs/show_bug.cgi?id=546121	Issue Tracking Vendor Advisory
https://lists.apache.org/thread.html/01e004c3f7c7365863a27e7038b7f32dae56ccf3a496b277c9b7f7b6%40%3Cjira.kafka.apache.org%3E
https://lists.apache.org/thread.html/053d9ce4d579b02203db18545fee5e33f35f2932885459b74d1e4272%40%3Cissues.activemq.apache.org%3E
https://lists.apache.org/thread.html/464892b514c029dfc0c8656a93e1c0de983c473df70fdadbd224e09f%40%3Cjira.kafka.apache.org%3E
https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3E
https://lists.apache.org/thread.html/8bff534863c7aaf09bb17c3d0532777258dd3a5c7ddda34198cc2742%40%3Cdev.kafka.apache.org%3E
https://lists.apache.org/thread.html/ac51944aef91dd5006b8510b0bef337adaccfe962fb90e7af9c22db4%40%3Cissues.activemq.apache.org%3E
https://lists.apache.org/thread.html/bcfb37bfba7b3d7e9c7808b5e5a38a98d6bb714d52cf5162bdd48e32%40%3Cjira.kafka.apache.org%3E
https://lists.apache.org/thread.html/d7c4a664a34853f57c2163ab562f39802df5cf809523ea40c97289c1%40%3Cdev.kafka.apache.org%3E
https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3Cissues.drill.apache.org%3E
https://lists.debian.org/debian-lts-announce/2021/05/msg00016.html	Mailing List Third Party Advisory
https://security.netapp.com/advisory/ntap-20190509-0003/	Third Party Advisory
https://www.debian.org/security/2021/dsa-4949	Third Party Advisory
https://www.oracle.com/security-alerts/cpuoct2020.html	Patch Third Party Advisory
https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html	Patch Third Party Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:eclipse:jetty:9.2.0:20140523::::::
	cpe:2.3:a:eclipse:jetty:9.2.0:20140526::::::
	cpe:2.3:a:eclipse:jetty:9.2.0:maintenance_0::::::
	cpe:2.3:a:eclipse:jetty:9.2.0:maintenance_1::::::
	cpe:2.3:a:eclipse:jetty:9.2.0:rc0::::::
	cpe:2.3:a:eclipse:jetty:9.2.1:20140609::::::
	cpe:2.3:a:eclipse:jetty:9.2.2:20140723::::::
	cpe:2.3:a:eclipse:jetty:9.2.3:20140905::::::
	cpe:2.3:a:eclipse:jetty:9.2.4:20141103::::::
	cpe:2.3:a:eclipse:jetty:9.2.5:20141112::::::
	cpe:2.3:a:eclipse:jetty:9.2.6:20141203::::::
	cpe:2.3:a:eclipse:jetty:9.2.6:20141205::::::
	cpe:2.3:a:eclipse:jetty:9.2.7:20150116::::::
	cpe:2.3:a:eclipse:jetty:9.2.8:20150217::::::
	cpe:2.3:a:eclipse:jetty:9.2.9:20150224::::::
	cpe:2.3:a:eclipse:jetty:9.2.10:20150310::::::
	cpe:2.3:a:eclipse:jetty:9.2.11:20150528::::::
	cpe:2.3:a:eclipse:jetty:9.2.11:20150529::::::
	cpe:2.3:a:eclipse:jetty:9.2.11:maintenance_0::::::
	cpe:2.3:a:eclipse:jetty:9.2.12:20150709::::::
	cpe:2.3:a:eclipse:jetty:9.2.12:maintenance_0::::::
	cpe:2.3:a:eclipse:jetty:9.2.13:20150730::::::
	cpe:2.3:a:eclipse:jetty:9.2.14:20151106::::::
	cpe:2.3:a:eclipse:jetty:9.2.15:20160210::::::
	cpe:2.3:a:eclipse:jetty:9.2.16:20160407::::::
	cpe:2.3:a:eclipse:jetty:9.2.16:20160414::::::
	cpe:2.3:a:eclipse:jetty:9.2.17:20160517::::::
	cpe:2.3:a:eclipse:jetty:9.2.18:20160721::::::
	cpe:2.3:a:eclipse:jetty:9.2.19:20160908::::::
	cpe:2.3:a:eclipse:jetty:9.2.20:20161216::::::
	cpe:2.3:a:eclipse:jetty:9.2.21:20170120::::::
	cpe:2.3:a:eclipse:jetty:9.2.22:20170606::::::
	cpe:2.3:a:eclipse:jetty:9.2.23:20171218::::::
	cpe:2.3:a:eclipse:jetty:9.2.24:20180105::::::
	cpe:2.3:a:eclipse:jetty:9.2.25:20180606::::::
	cpe:2.3:a:eclipse:jetty:9.2.26:20180806::::::
	cpe:2.3:a:eclipse:jetty:9.3.0:20150601::::::
	cpe:2.3:a:eclipse:jetty:9.3.0:20150608::::::
	cpe:2.3:a:eclipse:jetty:9.3.0:20150612::::::
	cpe:2.3:a:eclipse:jetty:9.3.0:maintenance0::::::
	cpe:2.3:a:eclipse:jetty:9.3.0:maintenance1::::::
	cpe:2.3:a:eclipse:jetty:9.3.0:maintenance2::::::
	cpe:2.3:a:eclipse:jetty:9.3.0:rc0::::::
	cpe:2.3:a:eclipse:jetty:9.3.0:rc1::::::
	cpe:2.3:a:eclipse:jetty:9.3.1:20150714::::::
	cpe:2.3:a:eclipse:jetty:9.3.2:20150730::::::
	cpe:2.3:a:eclipse:jetty:9.3.3:20150825::::::
	cpe:2.3:a:eclipse:jetty:9.3.3:20150827::::::
	cpe:2.3:a:eclipse:jetty:9.3.4:20151005::::::
	cpe:2.3:a:eclipse:jetty:9.3.4:20151007::::::
	cpe:2.3:a:eclipse:jetty:9.3.4:rc0::::::
	cpe:2.3:a:eclipse:jetty:9.3.4:rc1::::::
	cpe:2.3:a:eclipse:jetty:9.3.5:20151012::::::
	cpe:2.3:a:eclipse:jetty:9.3.6:20151106::::::
	cpe:2.3:a:eclipse:jetty:9.3.7:20160115::::::
	cpe:2.3:a:eclipse:jetty:9.3.7:rc0::::::
	cpe:2.3:a:eclipse:jetty:9.3.7:rc1::::::
	cpe:2.3:a:eclipse:jetty:9.3.8:20160311::::::
	cpe:2.3:a:eclipse:jetty:9.3.8:20160314::::::
	cpe:2.3:a:eclipse:jetty:9.3.8:rc0::::::
	cpe:2.3:a:eclipse:jetty:9.3.9:20160517::::::
	cpe:2.3:a:eclipse:jetty:9.3.9:maintenance_0::::::
	cpe:2.3:a:eclipse:jetty:9.3.9:maintenance_1::::::
	cpe:2.3:a:eclipse:jetty:9.3.10:20160621::::::
cpe:2.3:a:eclipse:jetty:9.3.10:maintenance_0::::::
cpe:2.3:a:eclipse:jetty:9.3.11:20160721::::::
cpe:2.3:a:eclipse:jetty:9.3.11:maintenance_0::::::
cpe:2.3:a:eclipse:jetty:9.3.12:20160915::::::
cpe:2.3:a:eclipse:jetty:9.3.13:20161014::::::
cpe:2.3:a:eclipse:jetty:9.3.13:maintenance_0::::::
cpe:2.3:a:eclipse:jetty:9.3.14:20161028::::::
cpe:2.3:a:eclipse:jetty:9.3.15:20161220::::::
cpe:2.3:a:eclipse:jetty:9.3.16:20170119::::::
cpe:2.3:a:eclipse:jetty:9.3.16:20170120::::::
cpe:2.3:a:eclipse:jetty:9.3.17:20170317::::::
cpe:2.3:a:eclipse:jetty:9.3.17:rc0::::::
cpe:2.3:a:eclipse:jetty:9.3.18:20170406::::::
cpe:2.3:a:eclipse:jetty:9.3.19:20170502::::::
cpe:2.3:a:eclipse:jetty:9.3.20:20170531::::::
cpe:2.3:a:eclipse:jetty:9.3.21:20170918::::::
cpe:2.3:a:eclipse:jetty:9.3.21:maintenance_0::::::
cpe:2.3:a:eclipse:jetty:9.3.21:rc0::::::
cpe:2.3:a:eclipse:jetty:9.3.22:20171030::::::
cpe:2.3:a:eclipse:jetty:9.3.23:20180228::::::
cpe:2.3:a:eclipse:jetty:9.3.24:20180605::::::
cpe:2.3:a:eclipse:jetty:9.3.25:20180904::::::
cpe:2.3:a:eclipse:jetty:9.4.0:20161207::::::
cpe:2.3:a:eclipse:jetty:9.4.0:20161208::::::
cpe:2.3:a:eclipse:jetty:9.4.0:20180619::::::
cpe:2.3:a:eclipse:jetty:9.4.0:maintenance_0::::::
cpe:2.3:a:eclipse:jetty:9.4.0:maintenance_1::::::
cpe:2.3:a:eclipse:jetty:9.4.0:rc0::::::
cpe:2.3:a:eclipse:jetty:9.4.0:rc1::::::
cpe:2.3:a:eclipse:jetty:9.4.0:rc2::::::
cpe:2.3:a:eclipse:jetty:9.4.0:rc3::::::
cpe:2.3:a:eclipse:jetty:9.4.1:20170120::::::
cpe:2.3:a:eclipse:jetty:9.4.1:20180619::::::
cpe:2.3:a:eclipse:jetty:9.4.2:20170220::::::
cpe:2.3:a:eclipse:jetty:9.4.2:20180619::::::
cpe:2.3:a:eclipse:jetty:9.4.3:20170317::::::
cpe:2.3:a:eclipse:jetty:9.4.3:20180619::::::
cpe:2.3:a:eclipse:jetty:9.4.4:20170410::::::
cpe:2.3:a:eclipse:jetty:9.4.4:20170414::::::
cpe:2.3:a:eclipse:jetty:9.4.4:20180619::::::
cpe:2.3:a:eclipse:jetty:9.4.5:20170502::::::
cpe:2.3:a:eclipse:jetty:9.4.5:20180619::::::
cpe:2.3:a:eclipse:jetty:9.4.6:20170531::::::
cpe:2.3:a:eclipse:jetty:9.4.6:20180619::::::
cpe:2.3:a:eclipse:jetty:9.4.7:20170914::::::
cpe:2.3:a:eclipse:jetty:9.4.7:20180619::::::
cpe:2.3:a:eclipse:jetty:9.4.7:rc0::::::
cpe:2.3:a:eclipse:jetty:9.4.8:20171121::::::
cpe:2.3:a:eclipse:jetty:9.4.8:20180619::::::
cpe:2.3:a:eclipse:jetty:9.4.9:20180320::::::
cpe:2.3:a:eclipse:jetty:9.4.10:20180503::::::
cpe:2.3:a:eclipse:jetty:9.4.10:rc0::::::
cpe:2.3:a:eclipse:jetty:9.4.10:rc1::::::
cpe:2.3:a:eclipse:jetty:9.4.11:20180605::::::
cpe:2.3:a:eclipse:jetty:9.4.12:20180830::::::
cpe:2.3:a:eclipse:jetty:9.4.12:rc0::::::
cpe:2.3:a:eclipse:jetty:9.4.12:rc1::::::
cpe:2.3:a:eclipse:jetty:9.4.12:rc2::::::
cpe:2.3:a:eclipse:jetty:9.4.13:20181111::::::
cpe:2.3:a:eclipse:jetty:9.4.14:20181114::::::
cpe:2.3:a:eclipse:jetty:9.4.15:20190215::::::

Configuration 2 (hide)

OR	cpe:2.3:o:debian:debian_linux:9.0:::::::*
	cpe:2.3:o:debian:debian_linux:10.0:::::::*

Configuration 3 (hide)

OR	cpe:2.3:a:apache:activemq:5.15.9:::::::*
	cpe:2.3:a:apache:drill:1.16.0:::::::*

Configuration 4 (hide)

OR	cpe:2.3:a:oracle:flexcube_core_banking::::::::
	cpe:2.3:a:oracle:flexcube_core_banking:5.2.0:::::::*
	cpe:2.3:a:oracle:rest_data_services:11.2.0.4::::-:::
	cpe:2.3:a:oracle:rest_data_services:12.1.0.2::::-:::
	cpe:2.3:a:oracle:rest_data_services:12.2.0.1::::-:::
	cpe:2.3:a:oracle:rest_data_services:18c::::-:::
	cpe:2.3:a:oracle:retail_xstore_point_of_service:7.1:::::::*
	cpe:2.3:a:oracle:retail_xstore_point_of_service:15.0:::::::*
	cpe:2.3:a:oracle:retail_xstore_point_of_service:16.0:::::::*
	cpe:2.3:a:oracle:retail_xstore_point_of_service:17.0:::::::*

History

22 Apr 2022, 20:06

Type	Values Removed	Values Added
References		(DEBIAN) https://www.debian.org/security/2021/dsa-4949 - Third Party Advisory
References	~~(MLIST) https://lists.apache.org/thread.html/8bff534863c7aaf09bb17c3d0532777258dd3a5c7ddda34198cc2742@%3Cdev.kafka.apache.org%3E - Third Party Advisory~~	(MLIST) https://lists.apache.org/thread.html/8bff534863c7aaf09bb17c3d0532777258dd3a5c7ddda34198cc2742@%3Cdev.kafka.apache.org%3E - Mailing List, Third Party Advisory
References	~~(MLIST) https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E -~~	(MLIST) https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E - Mailing List, Third Party Advisory
References	~~(MLIST) https://lists.apache.org/thread.html/01e004c3f7c7365863a27e7038b7f32dae56ccf3a496b277c9b7f7b6@%3Cjira.kafka.apache.org%3E - Third Party Advisory~~	(MLIST) https://lists.apache.org/thread.html/01e004c3f7c7365863a27e7038b7f32dae56ccf3a496b277c9b7f7b6@%3Cjira.kafka.apache.org%3E - Mailing List, Third Party Advisory
References	~~(MISC) https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html -~~	(MISC) https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html - Patch, Third Party Advisory
References	~~(MLIST) https://lists.debian.org/debian-lts-announce/2021/05/msg00016.html -~~	(MLIST) https://lists.debian.org/debian-lts-announce/2021/05/msg00016.html - Mailing List, Third Party Advisory
References	~~(MLIST) https://lists.apache.org/thread.html/053d9ce4d579b02203db18545fee5e33f35f2932885459b74d1e4272@%3Cissues.activemq.apache.org%3E -~~	(MLIST) https://lists.apache.org/thread.html/053d9ce4d579b02203db18545fee5e33f35f2932885459b74d1e4272@%3Cissues.activemq.apache.org%3E - Mailing List, Third Party Advisory
References	~~(MISC) https://www.oracle.com/security-alerts/cpuoct2020.html -~~	(MISC) https://www.oracle.com/security-alerts/cpuoct2020.html - Patch, Third Party Advisory
References	~~(MLIST) https://lists.apache.org/thread.html/bcfb37bfba7b3d7e9c7808b5e5a38a98d6bb714d52cf5162bdd48e32@%3Cjira.kafka.apache.org%3E - Third Party Advisory~~	(MLIST) https://lists.apache.org/thread.html/bcfb37bfba7b3d7e9c7808b5e5a38a98d6bb714d52cf5162bdd48e32@%3Cjira.kafka.apache.org%3E - Mailing List, Third Party Advisory
References	~~(MLIST) https://lists.apache.org/thread.html/ac51944aef91dd5006b8510b0bef337adaccfe962fb90e7af9c22db4@%3Cissues.activemq.apache.org%3E -~~	(MLIST) https://lists.apache.org/thread.html/ac51944aef91dd5006b8510b0bef337adaccfe962fb90e7af9c22db4@%3Cissues.activemq.apache.org%3E - Mailing List, Third Party Advisory
References	~~(MLIST) https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E -~~	(MLIST) https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E - Mailing List, Third Party Advisory
CPE		cpe:2.3:o:debian:debian_linux:9.0:::::::* cpe:2.3:a:oracle:retail_xstore_point_of_service:7.1:::::::* cpe:2.3:a:oracle:retail_xstore_point_of_service:16.0:::::::* cpe:2.3:a:oracle:rest_data_services:12.2.0.1::::-::: cpe:2.3:a:oracle:rest_data_services:12.1.0.2::::-::: cpe:2.3:a:oracle:flexcube_core_banking:5.2.0:::::::* cpe:2.3:a:apache:drill:1.16.0:::::::* cpe:2.3:a:oracle:retail_xstore_point_of_service:17.0:::::::* cpe:2.3:a:oracle:rest_data_services:11.2.0.4::::-::: cpe:2.3:a:oracle:flexcube_core_banking:::::::: cpe:2.3:a:oracle:retail_xstore_point_of_service:15.0:::::::* cpe:2.3:a:oracle:rest_data_services:18c::::-::: cpe:2.3:o:debian:debian_linux:10.0:::::::* cpe:2.3:a:apache:activemq:5.15.9:::::::*

Information

Published : 2019-04-22 20:29

Updated : 2024-02-04 20:20

NVD link : CVE-2019-10241

Mitre link : CVE-2019-10241

CVE.ORG link : CVE-2019-10241

JSON object : View

Products Affected

oracle

retail_xstore_point_of_service
rest_data_services
flexcube_core_banking

debian

debian_linux

apache

drill
activemq

eclipse

jetty

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

6.1 /10

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

4.3 /10

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

JSON object

Attach tags to CVE-2019-10241

6.1^/10

4.3^/10

Attach tags to `CVE-2019-10241`