CVE-2019-10241
XSS vulnerability in jetty-server (Maven)
What is CVE-2019-10241 About?
This vulnerability affects Eclipse Jetty versions 9.2.26 and older, 9.3.25 and older, and 9.4.15 and older, allowing Cross-Site Scripting (XSS). It is triggered when a remote client uses a specially formatted URL against the `DefaultServlet` or `ResourceHandler` configured for directory listing. Exploitation requires user interaction with a malicious link.
Affected Software
- org.eclipse.jetty:jetty-server
- >9.4.0, <9.4.16.v20190411
- >9.3.0, <9.3.26.v20190403
- <9.2.27.v20190403
Technical Details
The vulnerability lies in the DefaultServlet or ResourceHandler components of Eclipse Jetty when configured to show directory listings. When a remote client crafts a URL with specific formatting, the server's response for a directory listing does not adequately sanitize or escape all parts of that URL. This allows an attacker to inject malicious script code into the HTML generated for the directory listing page. When a user accesses this crafted URL on the vulnerable Jetty server, the injected script executes in their browser, leading to an XSS attack. The issue is a reflection-based XSS, where the attacker's input is reflected unsafely in the page content.
What is the Impact of CVE-2019-10241?
Successful exploitation may allow attackers to execute arbitrary client-side script code, steal session cookies, deface the web interface, or redirect users to malicious websites.
What is the Exploitability of CVE-2019-10241?
Exploitation of this XSS vulnerability is of low to moderate complexity. It requires an attacker to craft a URL containing malicious script and then induce a victim to click on it, or for the victim to access a directory listing on the vulnerable Jetty server where the crafted URL has been reflected. No authentication is necessary to exploit the XSS if directory listings are publicly accessible. This is a remote, client-side attack. The primary prerequisite is that the Jetty server must be running a vulnerable version and have its DefaultServlet or ResourceHandler configured to allow directory listings. The likelihood of exploitation increases if the server's directory structures are exposed and users regularly navigate them.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2019-10241?
Available Upgrade Options
- org.eclipse.jetty:jetty-server
- <9.2.27.v20190403 → Upgrade to 9.2.27.v20190403
- org.eclipse.jetty:jetty-server
- >9.3.0, <9.3.26.v20190403 → Upgrade to 9.3.26.v20190403
- org.eclipse.jetty:jetty-server
- >9.4.0, <9.4.16.v20190411 → Upgrade to 9.4.16.v20190411
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://lists.apache.org/thread.html/053d9ce4d579b02203db18545fee5e33f35f2932885459b74d1e4272%40%3Cissues.activemq.apache.org%3E
- https://lists.apache.org/thread.html/bcfb37bfba7b3d7e9c7808b5e5a38a98d6bb714d52cf5162bdd48e32%40%3Cjira.kafka.apache.org%3E
- https://security.netapp.com/advisory/ntap-20190509-0003
- https://lists.apache.org/thread.html/053d9ce4d579b02203db18545fee5e33f35f2932885459b74d1e4272@%3Cissues.activemq.apache.org%3E
- https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3Cissues.drill.apache.org%3E
- https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
- https://www.debian.org/security/2021/dsa-4949
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://lists.apache.org/thread.html/8bff534863c7aaf09bb17c3d0532777258dd3a5c7ddda34198cc2742@%3Cdev.kafka.apache.org%3E
- https://lists.apache.org/thread.html/ac51944aef91dd5006b8510b0bef337adaccfe962fb90e7af9c22db4%40%3Cissues.activemq.apache.org%3E
What are Similar Vulnerabilities to CVE-2019-10241?
Similar Vulnerabilities: CVE-2023-38545 , CVE-2023-38146 , CVE-2023-34062 , CVE-2023-34316 , CVE-2023-28434
