CVE-2019-10246
Information Reveal vulnerability in jetty-server (Maven)
What is CVE-2019-10246 About?
This vulnerability in Eclipse Jetty running on Windows allows for the exposure of the full directory name of the base resource directory to remote clients. This information reveal can aid attackers in reconnaissance efforts, and its exploitation is relatively straightforward under specific configurations.
Affected Software
- org.eclipse.jetty:jetty-server
- >9.3.0, <9.3.27.v20190418
- >9.2.0, <9.2.28.v20190418
- >9.4.0, <9.4.17.v20190418
Technical Details
In Eclipse Jetty versions 9.2.27, 9.3.26, and 9.4.16 configured for directory listing on Windows, the server incorrectly discloses the fully qualified name of the Base Resource directory. When a remote client requests a directory listing, the server reveals this sensitive path information. This exposure is limited to the configured base resource directories, meaning only paths within these specific server-defined directories are disclosed to the remote attacker, providing valuable internal system information.
What is the Impact of CVE-2019-10246?
Successful exploitation may allow attackers to gather sensitive system information, aiding in further reconnaissance and potentially leading to more targeted attacks or circumvention of security measures.
What is the Exploitability of CVE-2019-10246?
Exploitation depends on the server running on Windows and being configured to show directory contents listing. The complexity is low, as a remote client only needs to make a request to a directory to potentially gain this information. No authentication or specific privileges are required, making it a remote and unauthenticated vulnerability. The primary constraint is the specific server configuration. The likelihood of exploitation increases if directory listings are enabled by default or for convenience without proper security considerations.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2019-10246?
Available Upgrade Options
- org.eclipse.jetty:jetty-server
- >9.2.0, <9.2.28.v20190418 → Upgrade to 9.2.28.v20190418
- org.eclipse.jetty:jetty-server
- >9.3.0, <9.3.27.v20190418 → Upgrade to 9.3.27.v20190418
- org.eclipse.jetty:jetty-server
- >9.4.0, <9.4.17.v20190418 → Upgrade to 9.4.17.v20190418
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://www.oracle.com/security-alerts/cpujul2020.html
- https://lists.apache.org/thread.html/rca37935d661f4689cb4119f1b3b224413b22be161b678e6e6ce0c69b%40%3Ccommits.nifi.apache.org%3E
- https://nvd.nist.gov/vuln/detail/CVE-2019-10246
- https://lists.apache.org/thread.html/bcce5a9c532b386c68dab2f6b3ce8b0cc9b950ec551766e76391caa3@%3Ccommits.nifi.apache.org%3E
- https://www.oracle.com/security-alerts/cpuapr2020.html
- https://security.netapp.com/advisory/ntap-20190509-0003
- https://bugs.eclipse.org/bugs/show_bug.cgi?id=546576
- https://bugs.eclipse.org/bugs/show_bug.cgi?id=546576
- https://www.oracle.com/security-alerts/cpuapr2020.html
- https://www.oracle.com/security-alerts/cpuApr2021.html
What are Similar Vulnerabilities to CVE-2019-10246?
Similar Vulnerabilities: CVE-2018-1000001 , CVE-2016-10001 , CVE-2015-8854 , CVE-2014-0199 , CVE-2013-0308
