CVE-2019-10246
Summary
| CVE | CVE-2019-10246 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2019-04-22 20:29:00 UTC |
| Updated | 2023-11-07 03:02:00 UTC |
| Description | In Eclipse Jetty version 9.2.27, 9.3.26, and 9.4.16, the server running on Windows is vulnerable to exposure of the fully qualified Base Resource directory name on Windows to a remote client when it is configured for showing a Listing of directory contents. This information reveal is restricted to only the content in the configured base resource directories. |
Risk And Classification
Problem Types: CWE-200
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Eclipse | Jetty | 9.2.27 | 20190403 | All | All |
| Application | Eclipse | Jetty | 9.3.26 | 20190403 | All | All |
| Application | Eclipse | Jetty | 9.4.16 | 20190411 | All | All |
| Application | Eclipse | Jetty | 9.2.27 | 20190403 | All | All |
| Application | Eclipse | Jetty | 9.3.26 | 20190403 | All | All |
| Application | Eclipse | Jetty | 9.4.16 | 20190411 | All | All |
| Operating System | Microsoft | Windows | - | All | All | All |
| Operating System | Microsoft | Windows | - | All | All | All |
| Operating System | Netapp | Element | - | All | All | All |
| Application | Netapp | Oncommand System Manager | All | All | All | All |
| Application | Netapp | Snapcenter | - | All | All | All |
| Application | Netapp | Snapmanager | - | - | All | All |
| Application | Netapp | Snapmanager | - | - | All | All |
| Application | Netapp | Snap Creator Framework | - | All | All | All |
| Application | Netapp | Storage Replication Adapter For Clustered Data Ontap | All | All | All | All |
| Application | Netapp | Storage Replication Adapter For Clustered Data Ontap | 9.6 | All | All | All |
| Application | Netapp | Storage Services Connector | - | All | All | All |
| Application | Netapp | Vasa Provider For Clustered Data Ontap | All | All | All | All |
| Application | Netapp | Vasa Provider For Clustered Data Ontap | - | All | All | All |
| Application | Netapp | Virtual Storage Console | All | All | All | All |
| Application | Netapp | Virtual Storage Console | 9.6 | All | All | All |
| Application | Oracle | Autovue | 21.0.2 | All | All | All |
| Application | Oracle | Communications Analytics | 12.1.1 | All | All | All |
| Application | Oracle | Communications Element Manager | 8.0.0 | All | All | All |
| Application | Oracle | Communications Element Manager | 8.1.0 | All | All | All |
| Application | Oracle | Communications Element Manager | 8.1.1 | All | All | All |
| Application | Oracle | Communications Element Manager | 8.2.0 | All | All | All |
| Application | Oracle | Communications Services Gatekeeper | 6.0 | All | All | All |
| Application | Oracle | Communications Services Gatekeeper | 6.1 | All | All | All |
| Application | Oracle | Communications Services Gatekeeper | 7.0 | All | All | All |
| Application | Oracle | Communications Session Report Manager | 8.0.0 | All | All | All |
| Application | Oracle | Communications Session Report Manager | 8.1.0 | All | All | All |
| Application | Oracle | Communications Session Report Manager | 8.1.1 | All | All | All |
| Application | Oracle | Communications Session Report Manager | 8.2.0 | All | All | All |
| Application | Oracle | Communications Session Route Manager | 8.0.0 | All | All | All |
| Application | Oracle | Communications Session Route Manager | 8.1.0 | All | All | All |
| Application | Oracle | Communications Session Route Manager | 8.1.1 | All | All | All |
| Application | Oracle | Communications Session Route Manager | 8.2.0 | All | All | All |
| Application | Oracle | Data Integrator | 12.2.1.3.0 | All | All | All |
| Application | Oracle | Data Integrator | 12.2.1.4.0 | All | All | All |
| Application | Oracle | Endeca Information Discovery Integrator | 3.2.0 | All | All | All |
| Application | Oracle | Enterprise Manager Base Platform | 13.2 | All | All | All |
| Application | Oracle | Enterprise Manager Base Platform | 13.3 | All | All | All |
| Application | Oracle | Flexcube Core Banking | 5.2.0 | All | All | All |
| Application | Oracle | Flexcube Core Banking | All | All | All | All |
| Application | Oracle | Flexcube Private Banking | 12.0.0 | All | All | All |
| Application | Oracle | Flexcube Private Banking | 12.1.0 | All | All | All |
| Application | Oracle | Hospitality Guest Access | 4.2.0 | All | All | All |
| Application | Oracle | Hospitality Guest Access | 4.2.1 | All | All | All |
| Application | Oracle | Rest Data Services | 11.2.0.4 | All | All | All |
| Application | Oracle | Rest Data Services | 12.1.0.2 | All | All | All |
| Application | Oracle | Rest Data Services | 12.2.0.1 | All | All | All |
| Application | Oracle | Rest Data Services | 18c | All | All | All |
| Application | Oracle | Retail Xstore Point Of Service | 15.0 | All | All | All |
| Application | Oracle | Retail Xstore Point Of Service | 16.0 | All | All | All |
| Application | Oracle | Retail Xstore Point Of Service | 17.0 | All | All | All |
| Application | Oracle | Retail Xstore Point Of Service | 7.1 | All | All | All |
| Application | Oracle | Unified Directory | 12.2.1.3.0 | All | All | All |
| Application | Oracle | Unified Directory | 12.2.1.4.0 | All | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| 546576 – (CVE-2019-10246) Jetty CVE Request: Information Reveal - Windows Directory Listings | CONFIRM | bugs.eclipse.org | Issue Tracking, Vendor Advisory |
| Oracle Critical Patch Update Advisory - July 2020 | MISC | www.oracle.com | Third Party Advisory |
| Oracle Critical Patch Update Advisory - October 2020 | MISC | www.oracle.com | Third Party Advisory |
| April 2019 Eclipse Jetty Vulnerabilities in NetApp Products | NetApp Product Security | CONFIRM | security.netapp.com | Third Party Advisory |
| Pony Mail! | lists.apache.org | ||
| Pony Mail! | MLIST | lists.apache.org | Mailing List, Third Party Advisory |
| Pony Mail! | MLIST | lists.apache.org | Mailing List, Third Party Advisory |
| Oracle Critical Patch Update - October 2019 | MISC | www.oracle.com | Third Party Advisory |
| Oracle Critical Patch Update Advisory - January 2020 | MISC | www.oracle.com | Third Party Advisory |
| Pony Mail! | lists.apache.org | ||
| Oracle Critical Patch Update Advisory - April 2020 | N/A | www.oracle.com | Third Party Advisory |
| Oracle Critical Patch Update Advisory - April 2021 | MISC | www.oracle.com | |
| Oracle Critical Patch Update Advisory - January 2021 | MISC | www.oracle.com | Third Party Advisory |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
Legacy QID Mappings
- 982260 Java (maven) Security Update for org.eclipse.jetty:jetty-server (GHSA-r28m-g6j9-r2h5)