Community
Participate
Working Groups
As reported at https://github.com/eclipse/jetty.project/issues/3549 This only impacts users using Eclipse Jetty on Windows. And have a DefaultServlet or ResourceHandler providing directory content listings. Impacts Versions: * 9.2.27.v20190403 * 9.3.26.v20190403 * 9.4.16.v20190411
This reveals the full system path of the base resources configured on the various contexts on the system. CVSS score for this is ... https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N 5.3 (Medium)
Please publish on Monday April 22nd. These is the text we should include in the CVE report ... --(start)-- The server running on Windows is vulnerable to exposure of the fully qualified Base Resource directory name on Windows to a remote client when it is configured for showing a Listing of directory contents. This information reveal is restricted to only the content in the configured base resource directories. Example: If you had configured your base resource directory such as C:\applications\appname\webapps\private.war then the response content produced during a directory listing will show the entire name "C:\applications\appname\webapps\private.war" in the HTML output. Versions affected: 9.2.27.v20190403 9.3.26.v20190403 9.4.16.v20190411 Resolved: 9.2.28.v20190418 9.3.27.v20190418 9.4.17.v20190418 --(end)-- Note: the specific versions where this is resolved are not available in the various public locations yet, as they are undergoing review. This section might be updated if issues are discovered.
Again, in lieu of the CVSS, CWE-213
Pull request: https://github.com/CVEProject/cvelist/pull/1931
The “Known Affected Software Configurations” on the CVE page states "Up to (including)" the listed versions. The description (and Joakim's description) reads as if this only affects the three listed versions. Can the description be adjusted to state clearly that this affects "Up to (including)" those three versions (or not)? Thanks!
Wayne, what is the process to update this? ---- Versions affected: 9.2.0.v20140526 - 9.2.27.v20190403 9.3.0.v20150612 - 9.3.26.v20190403 9.4.0.v20161208 - 9.4.16.v20190411
Incorrect Jesse. This CVE impacts only those 3 specific versions. No version ranges. * 9.2.27.v20190403 * 9.3.26.v20190403 * 9.4.16.v20190411
Ouch, I was thinking of a different one then. Thanks! For future reference though, Wayne, is updating something here correct or should we make a PR against the CVE issue that you link?
Thanks for your quick responses! Based on #7, the configurations listed at https://nvd.nist.gov/vuln/detail/CVE-2019-10246 are wrong (see below) and should be updated. Wrong (but currently listed) on https://nvd.nist.gov/vuln/detail/CVE-2019-10246: Known Affected Software Configurations Switch to CPE 2.2 Configuration 1 ( hide ) cpe:2.3:a:eclipse:jetty:*:*:*:*:*:*:*:* Show Matching CPE(s) Up to (including) 9.2.26 cpe:2.3:a:eclipse:jetty:*:*:*:*:*:*:*:* Show Matching CPE(s) From (including) 9.3.0 Up to (including) 9.3.26 cpe:2.3:a:eclipse:jetty:*:*:*:*:*:*:*:* Show Matching CPE(s) From (including) 9.4.0 Up to (including) 9.4.16 Running on/with cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:* Show Matching CPE(s)
(In reply to Jesse McConnell from comment #8) > Ouch, I was thinking of a different one then. Thanks! For future reference > though, Wayne, is updating something here correct or should we make a PR > against the CVE issue that you link? It's best, IMHO, to keep the related discussion in one location. To update CVE, please comment on and reopen the bug. If I don't respond in a day or two, ping security@eclipse.org.
The report that I pushed [1] specified just those particular versions. My parsing of the rules is that a version_affected of "=" means that exact version. I'll open an issue to ask for guidance. [1] https://github.com/CVEProject/cvelist/blob/master/2019/10xxx/CVE-2019-10246.json
> I'll open an issue to ask for guidance. https://github.com/CVEProject/cvelist/issues/1962
(In reply to Wayne Beaton from comment #12) > > I'll open an issue to ask for guidance. > > https://github.com/CVEProject/cvelist/issues/1962 The Mitre folks have confirmed that the information that we provided to them conforms to their schema, have pointed me to the folks at NIST, and have closed the issue. I can't find an obvious link to an issue tracker, so I've sent a note to the NIST team. I'll update here when/if I receive a response. I'm reopening the bug so that this stays on our radar.
I think we (Eclipse) have done what we can. I say we don't worry about the bad data representation at NIST. It's not like the data is harmfully bad, it's just a niggle. Besides, once this issue goes public, people should be able to find it via searching for "CVE-2019-10246" and see what the authoritative opinion on this is.
@wayne thanks for pursuing this. @joakim I respectfully disagree about it being a niggle. The mismatch between description and Known Affected Software Configurations makes it impossible to know which is correct without coming here to find out.
The updated NIST report cpeVersion 2.2 (from May 16th, 2019) shows only 1 version (no ranges). https://nvd.nist.gov/vuln/detail/CVE-2019-10246?cpeVersion=2.2 The CVE details are also correct at this point in time. https://www.cvedetails.com/cve/CVE-2019-10246/
I sent an email to NIST yesterday and they responded immediately. Thanks for bring this to my attention.
