CVE-2019-10246

MEDIUM

Eclipse Jetty 9.2.27, 9.3.26, 9.4.16 - Exposure of Sensitive Information via Directory Listing

Title source: llm
STIX 2.1

Description

In Eclipse Jetty version 9.2.27, 9.3.26, and 9.4.16, the server running on Windows is vulnerable to exposure of the fully qualified Base Resource directory name on Windows to a remote client when it is configured for showing a Listing of directory contents. This information reveal is restricted to only the content in the configured base resource directories.

References (11)

Core 11
Core References
Third Party Advisory x_refsource_misc
https://www.oracle.com/security-alerts/cpuapr2020.html
Third Party Advisory x_refsource_misc
https://www.oracle.com/security-alerts/cpujul2020.html
Third Party Advisory x_refsource_misc
https://www.oracle.com/security-alerts/cpujan2020.html
Issue Tracking, Vendor Advisory x_refsource_confirm
https://bugs.eclipse.org/bugs/show_bug.cgi?id=546576
Third Party Advisory x_refsource_confirm
https://security.netapp.com/advisory/ntap-20190509-0003/
Third Party Advisory x_refsource_misc
https://www.oracle.com/security-alerts/cpuoct2020.html
Third Party Advisory x_refsource_misc
https://www.oracle.com/security-alerts/cpujan2021.html

Scores

CVSS v3 5.3
EPSS 0.0258
EPSS Percentile 85.8%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Details

CWE
CWE-213 CWE-200
Status published
Products (49)
eclipse/jetty 9.2.27 20190403
eclipse/jetty 9.3.26 20190403
eclipse/jetty 9.4.16 20190411
netapp/element
netapp/oncommand_system_manager 3.0 - 3.1.3
netapp/snap_creator_framework
netapp/snapcenter
netapp/snapmanager (2 CPE variants)
netapp/storage_replication_adapter_for_clustered_data_ontap 9.6
netapp/storage_replication_adapter_for_clustered_data_ontap 9.6
... and 39 more
Published Apr 22, 2019
Tracked Since Feb 18, 2026