CVE-2018-12536

MEDIUM

Eclipse Jetty Server 9.x - Info Disclosure

Title source: llm
STIX 2.1

Description

In Eclipse Jetty Server, all 9.x versions, on webapps deployed using default Error Handling, when an intentionally bad query arrives that doesn't match a dynamic url-pattern, and is eventually handled by the DefaultServlet's static file serving, the bad characters can trigger a java.nio.file.InvalidPathException which includes the full path to the base resource directory that the DefaultServlet and/or webapp is using. If this InvalidPathException is then handled by the default Error Handler, the InvalidPathException message is included in the error response, revealing the full server path to the requesting system.

References (8)

Core 8
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id/1041194
Third Party Advisory x_refsource_confirm
https://security.netapp.com/advisory/ntap-20181014-0001/
Vendor Advisory x_refsource_confirm
https://bugs.eclipse.org/bugs/show_bug.cgi?id=535670
Mailing List mailing-list x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2021/05/msg00016.html

Scores

CVSS v3 5.3
EPSS 0.0351
EPSS Percentile 87.8%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Details

CWE
CWE-209
Status published
Products (6)
eclipse/jetty 9.0.0 - 9.2.26
oracle/retail_xstore_point_of_service 7.1
oracle/retail_xstore_point_of_service 15.0
oracle/retail_xstore_point_of_service 16.0.0
oracle/retail_xstore_point_of_service 17.0
org.eclipse.jetty/jetty-server 9.4.0 - 9.4.11.v20180605Maven
Published Jun 27, 2018
Tracked Since Feb 18, 2026