CVE-2019-10247
Information Disclosure vulnerability in jetty-server (Maven)
What is CVE-2019-10247 About?
This vulnerability is an Information Disclosure flaw in Eclipse Jetty versions 7.x, 8.x, 9.2.27 and older, 9.3.26 and older, and 9.4.16 and older. It allows the server to reveal fully qualified directory base resource locations in 404 error pages or context listings. The impact is sensitive information leakage, and exploitation is trivial, as it only requires requesting a non-existent path.
Affected Software
- org.eclipse.jetty:jetty-server
- >7.0.0, <9.2.28.v20190418
- >9.3.0, <9.3.27.v20190418
- >9.4.0, <9.4.17.v20190418
Technical Details
In Eclipse Jetty, specifically versions 7.x, 8.x, 9.2.27 and older, 9.3.26 and older, and 9.4.16 and older, an information disclosure vulnerability exists where the server can reveal configured fully qualified directory base resource locations. This occurs when a request is made for a non-existent context, leading to a 404 error. The default DefaultHandler in jetty-distribution and jetty-home is responsible for handling these 404s and, in its attempt to list available contexts as clickable HTML for users, includes the server's internal file system paths for each context. An attacker merely needs to send a request for any path that does not map to an existing context, and the resulting 404 page will disclose sensitive directory information from the server's file system.
What is the Impact of CVE-2019-10247?
Successful exploitation may allow attackers to gather sensitive information about the server's file system structure, aid in further attacks such as directory traversal, or reveal the location of critical application components.
What is the Exploitability of CVE-2019-10247?
Exploitation of this information disclosure vulnerability is extremely low complexity. It requires no specific authentication or privilege, as it occurs simply by making a request to a non-existent path on the vulnerable Jetty server. The attack is entirely remote. There are no special conditions or constraints beyond the default Jetty configuration being in use. The primary risk factor increasing exploitation likelihood is the default behavior of the DefaultHandler in the specified Jetty versions. Any unauthenticated attacker can trivially trigger this leak by attempting to access a resource that does not exist, making it highly discoverable.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2019-10247?
Available Upgrade Options
- org.eclipse.jetty:jetty-server
- >7.0.0, <9.2.28.v20190418 → Upgrade to 9.2.28.v20190418
- org.eclipse.jetty:jetty-server
- >9.3.0, <9.3.27.v20190418 → Upgrade to 9.3.27.v20190418
- org.eclipse.jetty:jetty-server
- >9.4.0, <9.4.17.v20190418 → Upgrade to 9.4.17.v20190418
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://lists.apache.org/thread.html/053d9ce4d579b02203db18545fee5e33f35f2932885459b74d1e4272%40%3Cissues.activemq.apache.org%3E
- https://lists.apache.org/thread.html/rca37935d661f4689cb4119f1b3b224413b22be161b678e6e6ce0c69b%40%3Ccommits.nifi.apache.org%3E
- https://security.netapp.com/advisory/ntap-20190509-0003
- https://lists.apache.org/thread.html/053d9ce4d579b02203db18545fee5e33f35f2932885459b74d1e4272@%3Cissues.activemq.apache.org%3E
- https://www.oracle.com/security-alerts/cpujul2020.html
- https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3Cissues.drill.apache.org%3E
- https://www.debian.org/security/2021/dsa-4949
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
- https://www.oracle.com/security-alerts/cpujan2021.html
What are Similar Vulnerabilities to CVE-2019-10247?
Similar Vulnerabilities: CVE-2020-13936 , CVE-2019-17564 , CVE-2018-8032 , CVE-2017-7656 , CVE-2016-5387
