Community
Participate
Working Groups
Originally filed at https://github.com/eclipse/jetty.project/issues/3555 All users of Eclipse Jetty from Jetty 7.0.0 and newer are impacted. Even users of older non-eclipse Jetty (5.x and 6.x) are impacted. The DefaultHandler will present the full path to the Resource Base directory, if the server is configured with only non-root contexts.
This reveals the full system path of the base resources configured on the various contexts on the system. CVSS score for this is ... https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N 5.3 (Medium)
Please publish on Monday April 22nd. These is the text we should include in the CVE report ... --(start)-- The server running on any OS and Jetty version combination will reveal the configured fully qualified directory base resource location on the output of the 404 error for not finding a Context that matches the requested path. The default server behavior on jetty-distribution and jetty-home will include at the end of the Handler tree a DefaultHandler, which is responsible for reporting this 404 error, it presents the various configured contexts as HTML for users to click through to. This produced HTML includes output that contains the configured fully qualified directory base resource location for each context. Versions affected: 7.x (all versions) 8.x (all versions) 9.2.27.v20190403 and older 9.3.26.v20190403 and older 9.4.16.v20190411 and older Resolved: 9.2.28.v20190418 9.3.27.v20190418 9.4.17.v20190418 --(end)-- Note: the specific versions where this is resolved are not available in the various public locations yet, as they are undergoing review. This section might be updated if issues are discovered.
Lastly, CWE-213
Pull request: https://github.com/CVEProject/cvelist/pull/1931
Created attachment 283793 [details] 1111111 asdfasdfasf
The content of attachment 283793 [details] has been deleted for the following reason: Bogus
(In reply to Joakim Erdfelt from comment #0) > Originally filed at https://github.com/eclipse/jetty.project/issues/3555 > > All users of Eclipse Jetty from Jetty 7.0.0 and newer are impacted. > Even users of older non-eclipse Jetty (5.x and 6.x) are impacted. > > The DefaultHandler will present the full path to the Resource Base > directory, if the server is configured with only non-root contexts. hi,joakim can you tell me how to solve this problem?
wuzp2008@126.com
CVE-2019-10247
hesl@bjewaytek.com
maofengwei@boco.com.cn
NIU X
Created attachment 289175 [details] Eclipse Jetty 信息泄露漏洞(CVE-2019-10247)