{"api_version":"1","generated_at":"2026-04-23T09:39:11+00:00","cve":"CVE-2018-12536","urls":{"html":"https://cve.report/CVE-2018-12536","api":"https://cve.report/api/cve/CVE-2018-12536.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2018-12536","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2018-12536"},"summary":{"title":"CVE-2018-12536","description":"In Eclipse Jetty Server, all 9.x versions, on webapps deployed using default Error Handling, when an intentionally bad query arrives that doesn't match a dynamic url-pattern, and is eventually handled by the DefaultServlet's static file serving, the bad characters can trigger a java.nio.file.InvalidPathException which includes the full path to the base resource directory that the DefaultServlet and/or webapp is using. If this InvalidPathException is then handled by the default Error Handler, the InvalidPathException message is included in the error response, revealing the full server path to the requesting system.","state":"PUBLIC","assigner":"security@eclipse.org","published_at":"2018-06-27 17:29:00","updated_at":"2023-11-07 02:52:00"},"problem_types":["NVD-CWE-noinfo"],"metrics":[],"references":[{"url":"https://lists.debian.org/debian-lts-announce/2021/05/msg00016.html","name":"[debian-lts-announce] 20210514 [SECURITY] [DLA 2661-1] jetty9 security update","refsource":"MLIST","tags":[],"title":"[SECURITY] [DLA 2661-1] jetty9 security update","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"http://www.securitytracker.com/id/1041194","name":"1041194","refsource":"SECTRACK","tags":["Third Party Advisory","VDB Entry"],"title":"Jetty Multiple Flaws Let Remote Users Conduct HTTP Request Smuggling and Session Hijacking Attacks and Determine the Installation Path - SecurityTracker","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://bugs.eclipse.org/bugs/show_bug.cgi?id=535670","name":"https://bugs.eclipse.org/bugs/show_bug.cgi?id=535670","refsource":"CONFIRM","tags":["Vendor Advisory"],"title":"535670 – (CVE-2018-12536) Jetty: CVE Request: InvalidPathException message","mime":"text/html","httpstatus":"200","archivestatus":"0"},{"url":"https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbst03953en_us","name":"https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbst03953en_us","refsource":"CONFIRM","tags":["Third Party Advisory"],"title":"Document Display | HPE Support Center","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.oracle.com/security-alerts/cpuoct2020.html","name":"https://www.oracle.com/security-alerts/cpuoct2020.html","refsource":"MISC","tags":[],"title":"Oracle Critical Patch Update Advisory - October 2020","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.apache.org/thread.html/053d9ce4d579b02203db18545fee5e33f35f2932885459b74d1e4272%40%3Cissues.activemq.apache.org%3E","name":"[activemq-issues] 20190820 [jira] [Created] (AMQ-7279) Security Vulnerabilities in Libraries - jackson-databind-2.9.8.jar, tomcat-servlet-api-8.0.53.jar, tomcat-websocket-api-8.0.53.jar, zookeeper-3.4.6.jar, guava-18.0.jar, jetty-all-9.2.26.v20180806.jar, scala-library-2.11.0.jar","refsource":"","tags":[],"title":"Pony Mail!","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.apache.org/thread.html/053d9ce4d579b02203db18545fee5e33f35f2932885459b74d1e4272@%3Cissues.activemq.apache.org%3E","name":"[activemq-issues] 20190820 [jira] [Created] (AMQ-7279) Security Vulnerabilities in Libraries - jackson-databind-2.9.8.jar, tomcat-servlet-api-8.0.53.jar, tomcat-websocket-api-8.0.53.jar, zookeeper-3.4.6.jar, guava-18.0.jar, jetty-all-9.2.26.v20180806.jar, scala-library-2.11.0.jar","refsource":"MLIST","tags":["Mailing List","Third Party Advisory"],"title":"Pony Mail!","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://security.netapp.com/advisory/ntap-20181014-0001/","name":"https://security.netapp.com/advisory/ntap-20181014-0001/","refsource":"CONFIRM","tags":["Third Party Advisory"],"title":"September 2018 Eclipse Jetty Vulnerabilities in NetApp Products | NetApp Product Security","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html","name":"https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html","refsource":"MISC","tags":["Patch","Third Party Advisory"],"title":"Oracle Critical Patch Update - October 2019","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2018-12536","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2018-12536","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2018","cve_id":"12536","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"eclipse","cpe5":"jetty","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2018","cve_id":"12536","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"eclipse","cpe5":"jetty","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2018","cve_id":"12536","vulnerable":"1","versionEndIncluding":"9.2.26","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"eclipse","cpe5":"jetty","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2018","cve_id":"12536","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"oracle","cpe5":"retail_xstore_point_of_service","cpe6":"15.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2018","cve_id":"12536","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"oracle","cpe5":"retail_xstore_point_of_service","cpe6":"16.0.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2018","cve_id":"12536","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"oracle","cpe5":"retail_xstore_point_of_service","cpe6":"17.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2018","cve_id":"12536","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"oracle","cpe5":"retail_xstore_point_of_service","cpe6":"7.1","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2018","cve_id":"12536","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"oracle","cpe5":"retail_xstore_point_of_service","cpe6":"15.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2018","cve_id":"12536","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"oracle","cpe5":"retail_xstore_point_of_service","cpe6":"16.0.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2018","cve_id":"12536","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"oracle","cpe5":"retail_xstore_point_of_service","cpe6":"17.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2018","cve_id":"12536","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"oracle","cpe5":"retail_xstore_point_of_service","cpe6":"7.1","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2018-12536","qid":"178597","title":"Debian Security Update for jetty9 (DLA 2661-1)"},{"cve":"CVE-2018-12536","qid":"376543","title":"F5 BIG-IP Application Security Manager (ASM), Local Traffic Manager (LTM), Access Policy Manager (APM) Eclipse Jetty Vulnerability (K33548065)"},{"cve":"CVE-2018-12536","qid":"982300","title":"Java (maven) Security Update for org.eclipse.jetty:jetty-server (GHSA-9rgv-h7x4-qw8g)"}]},"source_records":{"cve_program":{"CVE_data_meta":{"ASSIGNER":"security@eclipse.org","ID":"CVE-2018-12536","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"Eclipse Jetty","version":{"version_data":[{"version_affected":"<=","version_value":"9.2.0"},{"version_affected":">=","version_value":"9.3.0"},{"version_affected":"<","version_value":"9.3.24"},{"version_affected":">=","version_value":"9.4.0"},{"version_affected":"<","version_value":"9.4.11"}]}}]},"vendor_name":"The Eclipse Foundation"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"In Eclipse Jetty Server, all 9.x versions, on webapps deployed using default Error Handling, when an intentionally bad query arrives that doesn't match a dynamic url-pattern, and is eventually handled by the DefaultServlet's static file serving, the bad characters can trigger a java.nio.file.InvalidPathException which includes the full path to the base resource directory that the DefaultServlet and/or webapp is using. If this InvalidPathException is then handled by the default Error Handler, the InvalidPathException message is included in the error response, revealing the full server path to the requesting system."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"CWE-209: Information Exposure Through an Error Message"}]}]},"references":{"reference_data":[{"name":"1041194","refsource":"SECTRACK","url":"http://www.securitytracker.com/id/1041194"},{"refsource":"MLIST","name":"[activemq-issues] 20190820 [jira] [Created] (AMQ-7279) Security Vulnerabilities in Libraries - jackson-databind-2.9.8.jar, tomcat-servlet-api-8.0.53.jar, tomcat-websocket-api-8.0.53.jar, zookeeper-3.4.6.jar, guava-18.0.jar, jetty-all-9.2.26.v20180806.jar, scala-library-2.11.0.jar","url":"https://lists.apache.org/thread.html/053d9ce4d579b02203db18545fee5e33f35f2932885459b74d1e4272@%3Cissues.activemq.apache.org%3E"},{"url":"https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html","refsource":"MISC","name":"https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html"},{"url":"https://www.oracle.com/security-alerts/cpuoct2020.html","refsource":"MISC","name":"https://www.oracle.com/security-alerts/cpuoct2020.html"},{"name":"https://security.netapp.com/advisory/ntap-20181014-0001/","refsource":"CONFIRM","url":"https://security.netapp.com/advisory/ntap-20181014-0001/"},{"refsource":"CONFIRM","name":"https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbst03953en_us","url":"https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbst03953en_us"},{"name":"https://bugs.eclipse.org/bugs/show_bug.cgi?id=535670","refsource":"CONFIRM","url":"https://bugs.eclipse.org/bugs/show_bug.cgi?id=535670"},{"refsource":"MLIST","name":"[debian-lts-announce] 20210514 [SECURITY] [DLA 2661-1] jetty9 security update","url":"https://lists.debian.org/debian-lts-announce/2021/05/msg00016.html"}]}},"nvd":{"publishedDate":"2018-06-27 17:29:00","lastModifiedDate":"2023-11-07 02:52:00","problem_types":["NVD-CWE-noinfo"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"NONE","availabilityImpact":"NONE","baseScore":5.3,"baseSeverity":"MEDIUM"},"exploitabilityScore":3.9,"impactScore":1.4},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:L/Au:N/C:P/I:N/A:N","accessVector":"NETWORK","accessComplexity":"LOW","authentication":"NONE","confidentialityImpact":"PARTIAL","integrityImpact":"NONE","availabilityImpact":"NONE","baseScore":5},"severity":"MEDIUM","exploitabilityScore":10,"impactScore":2.9,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:eclipse:jetty:*:*:*:*:*:*:*:*","versionStartIncluding":"9.4.0","versionEndExcluding":"9.4.11","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:eclipse:jetty:*:*:*:*:*:*:*:*","versionStartIncluding":"9.3.0","versionEndExcluding":"9.3.24","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:eclipse:jetty:*:*:*:*:*:*:*:*","versionStartIncluding":"9.0.0","versionEndIncluding":"9.2.26","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:oracle:retail_xstore_point_of_service:15.0:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:oracle:retail_xstore_point_of_service:16.0.0:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:oracle:retail_xstore_point_of_service:7.1:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:oracle:retail_xstore_point_of_service:17.0:*:*:*:*:*:*:*","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2018","CveId":"12536","Ordinal":"129104","Title":"CVE-2018-12536","CVE":"CVE-2018-12536","Year":"2018"},"notes":[{"CveYear":"2018","CveId":"12536","Ordinal":"1","NoteData":"In Eclipse Jetty Server, all 9.x versions, on webapps deployed using default Error Handling, when an intentionally bad query arrives that doesn't match a dynamic url-pattern, and is eventually handled by the DefaultServlet's static file serving, the bad characters can trigger a java.nio.file.InvalidPathException which includes the full path to the base resource directory that the DefaultServlet and/or webapp is using. If this InvalidPathException is then handled by the default Error Handler, the InvalidPathException message is included in the error response, revealing the full server path to the requesting system.","Type":"Description","Title":null},{"CveYear":"2018","CveId":"12536","Ordinal":"2","NoteData":"2018-06-27","Type":"Other","Title":"Published"},{"CveYear":"2018","CveId":"12536","Ordinal":"3","NoteData":"2021-05-14","Type":"Other","Title":"Modified"}]}}}