CVE-2018-12536
Information Disclosure vulnerability in org.eclipse.jetty:jetty-server
What is CVE-2018-12536 About?
This Information Disclosure vulnerability in Eclipse Jetty Server (all 9.x versions) allows sensitive server path information to be revealed. When an invalid query is handled by the default error handler, a `java.nio.file.InvalidPathException` message containing the full server path is exposed. Exploitation is easy, requiring only a malformed request.
Affected Software
- org.eclipse.jetty:jetty-server
- >9.0.0, <9.3.24.v20180605
- >9.4.0, <9.4.11.v20180605
Technical Details
The vulnerability in all 9.x versions of Eclipse Jetty Server occurs when a web application, deployed using default error handling, receives an intentionally malformed query that does not match any dynamic `url-pattern` and is subsequently handled by the `DefaultServlet` for static file serving. If the malformed characters in the query trigger a `java.nio.file.InvalidPathException`, and this exception is then processed by the default error handler, the detailed exception message, including the full server path to the base resource directory used by the `DefaultServlet` or webapp, will be included in the error response sent back to the requesting system. This exposes sensitive server infrastructure details.
What is the Impact of CVE-2018-12536?
Successful exploitation may allow attackers to gain sensitive information about the server's file system structure, aiding in further targeted attacks or reconnaissance.
What is the Exploitability of CVE-2018-12536?
Exploitation of this information disclosure vulnerability is straightforward and requires minimal effort. An attacker needs to send a remotely crafted, intentionally bad query to a vulnerable Jetty instance. No authentication is necessary, and the attack is remote. The primary prerequisite is that the application uses the default error handling mechanism. The risk of exploitation is increased in environments where default Jetty configurations are maintained without custom error pages, making it easy for an attacker to trigger the `InvalidPathException` and reveal server paths.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2018-12536?
Available Upgrade Options
- org.eclipse.jetty:jetty-server
- >9.0.0, <9.3.24.v20180605 → Upgrade to 9.3.24.v20180605
- org.eclipse.jetty:jetty-server
- >9.4.0, <9.4.11.v20180605 → Upgrade to 9.4.11.v20180605
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbst03953en_us
- https://nvd.nist.gov/vuln/detail/CVE-2018-12536
- https://security.netapp.com/advisory/ntap-20181014-0001
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://bugs.eclipse.org/bugs/show_bug.cgi?id=535670
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://osv.dev/vulnerability/GHSA-9rgv-h7x4-qw8g
- https://lists.apache.org/thread.html/053d9ce4d579b02203db18545fee5e33f35f2932885459b74d1e4272@%3Cissues.activemq.apache.org%3E
- https://lists.apache.org/thread.html/053d9ce4d579b02203db18545fee5e33f35f2932885459b74d1e4272%40%3Cissues.activemq.apache.org%3E
- https://web.archive.org/web/20200516001904/http://www.securitytracker.com/id/1041194
What are Similar Vulnerabilities to CVE-2018-12536?
Similar Vulnerabilities: CVE-2021-44228 , CVE-2022-26138 , CVE-2020-13936 , CVE-2021-39237 , CVE-2022-22965
