Vulnerability Details : CVE-2019-10241
In Eclipse Jetty version 9.2.26 and older, 9.3.25 and older, and 9.4.15 and older, the server is vulnerable to XSS conditions if a remote client USES a specially formatted URL against the DefaultServlet or ResourceHandler that is configured for showing a Listing of directory contents.
Vulnerability category: Cross site scripting (XSS)
Products affected by CVE-2019-10241
- cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache:activemq:5.15.9:*:*:*:*:*:*:*
- cpe:2.3:a:apache:drill:1.16.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:retail_xstore_point_of_service:7.1:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:retail_xstore_point_of_service:15.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:retail_xstore_point_of_service:16.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:retail_xstore_point_of_service:17.0:*:*:*:*:*:*:*
- Oracle » Flexcube Core BankingVersions from including (>=) 11.5.0 and up to, including, (<=) 11.7.0cpe:2.3:a:oracle:flexcube_core_banking:*:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:flexcube_core_banking:5.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:rest_data_services:11.2.0.4:*:*:*:-:*:*:*
- cpe:2.3:a:oracle:rest_data_services:12.1.0.2:*:*:*:-:*:*:*
- cpe:2.3:a:oracle:rest_data_services:12.2.0.1:*:*:*:-:*:*:*
- cpe:2.3:a:oracle:rest_data_services:18c:*:*:*:-:*:*:*
- cpe:2.3:a:eclipse:jetty:9.3.7:rc1:*:*:*:*:*:*
- cpe:2.3:a:eclipse:jetty:9.3.4:rc1:*:*:*:*:*:*
- cpe:2.3:a:eclipse:jetty:9.3.0:maintenance2:*:*:*:*:*:*
- cpe:2.3:a:eclipse:jetty:9.3.0:rc0:*:*:*:*:*:*
- cpe:2.3:a:eclipse:jetty:9.3.8:rc0:*:*:*:*:*:*
- cpe:2.3:a:eclipse:jetty:9.3.7:rc0:*:*:*:*:*:*
- cpe:2.3:a:eclipse:jetty:9.3.0:rc1:*:*:*:*:*:*
- cpe:2.3:a:eclipse:jetty:9.3.4:rc0:*:*:*:*:*:*
- cpe:2.3:a:eclipse:jetty:9.3.0:20150601:*:*:*:*:*:*
- cpe:2.3:a:eclipse:jetty:9.3.0:20150608:*:*:*:*:*:*
- cpe:2.3:a:eclipse:jetty:9.3.0:20150612:*:*:*:*:*:*
- cpe:2.3:a:eclipse:jetty:9.3.0:maintenance0:*:*:*:*:*:*
- cpe:2.3:a:eclipse:jetty:9.3.0:maintenance1:*:*:*:*:*:*
- cpe:2.3:a:eclipse:jetty:9.3.1:20150714:*:*:*:*:*:*
- cpe:2.3:a:eclipse:jetty:9.3.2:20150730:*:*:*:*:*:*
- cpe:2.3:a:eclipse:jetty:9.3.3:20150825:*:*:*:*:*:*
- cpe:2.3:a:eclipse:jetty:9.3.3:20150827:*:*:*:*:*:*
- cpe:2.3:a:eclipse:jetty:9.3.4:20151005:*:*:*:*:*:*
- cpe:2.3:a:eclipse:jetty:9.3.4:20151007:*:*:*:*:*:*
- cpe:2.3:a:eclipse:jetty:9.3.5:20151012:*:*:*:*:*:*
- cpe:2.3:a:eclipse:jetty:9.3.6:20151106:*:*:*:*:*:*
- cpe:2.3:a:eclipse:jetty:9.3.7:20160115:*:*:*:*:*:*
- cpe:2.3:a:eclipse:jetty:9.3.8:20160311:*:*:*:*:*:*
- cpe:2.3:a:eclipse:jetty:9.3.8:20160314:*:*:*:*:*:*
- cpe:2.3:a:eclipse:jetty:9.3.9:20160517:*:*:*:*:*:*
- cpe:2.3:a:eclipse:jetty:9.3.9:maintenance_0:*:*:*:*:*:*
- cpe:2.3:a:eclipse:jetty:9.3.9:maintenance_1:*:*:*:*:*:*
- cpe:2.3:a:eclipse:jetty:9.3.10:20160621:*:*:*:*:*:*
- cpe:2.3:a:eclipse:jetty:9.3.10:maintenance_0:*:*:*:*:*:*
- cpe:2.3:a:eclipse:jetty:9.3.11:20160721:*:*:*:*:*:*
- cpe:2.3:a:eclipse:jetty:9.3.11:maintenance_0:*:*:*:*:*:*
- cpe:2.3:a:eclipse:jetty:9.3.12:20160915:*:*:*:*:*:*
- cpe:2.3:a:eclipse:jetty:9.3.13:20161014:*:*:*:*:*:*
- cpe:2.3:a:eclipse:jetty:9.3.13:maintenance_0:*:*:*:*:*:*
- cpe:2.3:a:eclipse:jetty:9.3.14:20161028:*:*:*:*:*:*
- cpe:2.3:a:eclipse:jetty:9.3.15:20161220:*:*:*:*:*:*
- cpe:2.3:a:eclipse:jetty:9.3.16:20170119:*:*:*:*:*:*
- cpe:2.3:a:eclipse:jetty:9.3.16:20170120:*:*:*:*:*:*
- cpe:2.3:a:eclipse:jetty:9.3.17:20170317:*:*:*:*:*:*
- cpe:2.3:a:eclipse:jetty:9.3.17:rc0:*:*:*:*:*:*
- cpe:2.3:a:eclipse:jetty:9.3.18:20170406:*:*:*:*:*:*
- cpe:2.3:a:eclipse:jetty:9.3.19:20170502:*:*:*:*:*:*
- cpe:2.3:a:eclipse:jetty:9.3.20:20170531:*:*:*:*:*:*
- cpe:2.3:a:eclipse:jetty:9.3.21:20170918:*:*:*:*:*:*
- cpe:2.3:a:eclipse:jetty:9.3.21:maintenance_0:*:*:*:*:*:*
- cpe:2.3:a:eclipse:jetty:9.3.21:rc0:*:*:*:*:*:*
- cpe:2.3:a:eclipse:jetty:9.3.22:20171030:*:*:*:*:*:*
- cpe:2.3:a:eclipse:jetty:9.3.23:20180228:*:*:*:*:*:*
- cpe:2.3:a:eclipse:jetty:9.3.24:20180605:*:*:*:*:*:*
- cpe:2.3:a:eclipse:jetty:9.4.0:20161207:*:*:*:*:*:*
- cpe:2.3:a:eclipse:jetty:9.4.0:20161208:*:*:*:*:*:*
- cpe:2.3:a:eclipse:jetty:9.4.0:20180619:*:*:*:*:*:*
- cpe:2.3:a:eclipse:jetty:9.4.0:maintenance_0:*:*:*:*:*:*
- cpe:2.3:a:eclipse:jetty:9.4.0:maintenance_1:*:*:*:*:*:*
- cpe:2.3:a:eclipse:jetty:9.4.0:rc0:*:*:*:*:*:*
- cpe:2.3:a:eclipse:jetty:9.4.0:rc1:*:*:*:*:*:*
- cpe:2.3:a:eclipse:jetty:9.4.0:rc2:*:*:*:*:*:*
- cpe:2.3:a:eclipse:jetty:9.4.0:rc3:*:*:*:*:*:*
- cpe:2.3:a:eclipse:jetty:9.4.1:20170120:*:*:*:*:*:*
- cpe:2.3:a:eclipse:jetty:9.4.1:20180619:*:*:*:*:*:*
- cpe:2.3:a:eclipse:jetty:9.4.2:20170220:*:*:*:*:*:*
- cpe:2.3:a:eclipse:jetty:9.4.2:20180619:*:*:*:*:*:*
- cpe:2.3:a:eclipse:jetty:9.4.3:20170317:*:*:*:*:*:*
- cpe:2.3:a:eclipse:jetty:9.4.3:20180619:*:*:*:*:*:*
- cpe:2.3:a:eclipse:jetty:9.4.4:20170410:*:*:*:*:*:*
- cpe:2.3:a:eclipse:jetty:9.4.4:20170414:*:*:*:*:*:*
- cpe:2.3:a:eclipse:jetty:9.4.4:20180619:*:*:*:*:*:*
- cpe:2.3:a:eclipse:jetty:9.4.5:20170502:*:*:*:*:*:*
- cpe:2.3:a:eclipse:jetty:9.4.5:20180619:*:*:*:*:*:*
- cpe:2.3:a:eclipse:jetty:9.4.6:20170531:*:*:*:*:*:*
- cpe:2.3:a:eclipse:jetty:9.4.6:20180619:*:*:*:*:*:*
- cpe:2.3:a:eclipse:jetty:9.4.7:20170914:*:*:*:*:*:*
- cpe:2.3:a:eclipse:jetty:9.4.7:20180619:*:*:*:*:*:*
- cpe:2.3:a:eclipse:jetty:9.4.7:rc0:*:*:*:*:*:*
- cpe:2.3:a:eclipse:jetty:9.4.8:20171121:*:*:*:*:*:*
- cpe:2.3:a:eclipse:jetty:9.4.8:20180619:*:*:*:*:*:*
- cpe:2.3:a:eclipse:jetty:9.4.9:20180320:*:*:*:*:*:*
- cpe:2.3:a:eclipse:jetty:9.4.10:20180503:*:*:*:*:*:*
- cpe:2.3:a:eclipse:jetty:9.4.10:rc0:*:*:*:*:*:*
- cpe:2.3:a:eclipse:jetty:9.4.10:rc1:*:*:*:*:*:*
- cpe:2.3:a:eclipse:jetty:9.4.11:20180605:*:*:*:*:*:*
- cpe:2.3:a:eclipse:jetty:9.4.12:rc0:*:*:*:*:*:*
- cpe:2.3:a:eclipse:jetty:9.4.12:rc1:*:*:*:*:*:*
- cpe:2.3:a:eclipse:jetty:9.4.12:rc2:*:*:*:*:*:*
- cpe:2.3:a:eclipse:jetty:9.2.6:20141205:*:*:*:*:*:*
- cpe:2.3:a:eclipse:jetty:9.2.7:20150116:*:*:*:*:*:*
- cpe:2.3:a:eclipse:jetty:9.2.8:20150217:*:*:*:*:*:*
- cpe:2.3:a:eclipse:jetty:9.2.9:20150224:*:*:*:*:*:*
- cpe:2.3:a:eclipse:jetty:9.2.19:20160908:*:*:*:*:*:*
- cpe:2.3:a:eclipse:jetty:9.2.20:20161216:*:*:*:*:*:*
- cpe:2.3:a:eclipse:jetty:9.2.21:20170120:*:*:*:*:*:*
- cpe:2.3:a:eclipse:jetty:9.2.22:20170606:*:*:*:*:*:*
- cpe:2.3:a:eclipse:jetty:9.2.0:maintenance_1:*:*:*:*:*:*
- cpe:2.3:a:eclipse:jetty:9.2.0:rc0:*:*:*:*:*:*
- cpe:2.3:a:eclipse:jetty:9.2.1:20140609:*:*:*:*:*:*
- cpe:2.3:a:eclipse:jetty:9.2.2:20140723:*:*:*:*:*:*
- cpe:2.3:a:eclipse:jetty:9.2.12:maintenance_0:*:*:*:*:*:*
- cpe:2.3:a:eclipse:jetty:9.2.13:20150730:*:*:*:*:*:*
- cpe:2.3:a:eclipse:jetty:9.2.14:20151106:*:*:*:*:*:*
- cpe:2.3:a:eclipse:jetty:9.2.15:20160210:*:*:*:*:*:*
- cpe:2.3:a:eclipse:jetty:9.4.13:20181111:*:*:*:*:*:*
- cpe:2.3:a:eclipse:jetty:9.4.14:20181114:*:*:*:*:*:*
- cpe:2.3:a:eclipse:jetty:9.2.0:20140526:*:*:*:*:*:*
- cpe:2.3:a:eclipse:jetty:9.2.4:20141103:*:*:*:*:*:*
- cpe:2.3:a:eclipse:jetty:9.2.6:20141203:*:*:*:*:*:*
- cpe:2.3:a:eclipse:jetty:9.2.10:20150310:*:*:*:*:*:*
- cpe:2.3:a:eclipse:jetty:9.2.11:20150529:*:*:*:*:*:*
- cpe:2.3:a:eclipse:jetty:9.2.12:20150709:*:*:*:*:*:*
- cpe:2.3:a:eclipse:jetty:9.2.16:20160407:*:*:*:*:*:*
- cpe:2.3:a:eclipse:jetty:9.2.17:20160517:*:*:*:*:*:*
- cpe:2.3:a:eclipse:jetty:9.2.24:20180105:*:*:*:*:*:*
- cpe:2.3:a:eclipse:jetty:9.2.26:20180806:*:*:*:*:*:*
- cpe:2.3:a:eclipse:jetty:9.3.25:20180904:*:*:*:*:*:*
- cpe:2.3:a:eclipse:jetty:9.4.15:20190215:*:*:*:*:*:*
- cpe:2.3:a:eclipse:jetty:9.2.0:20140523:*:*:*:*:*:*
- cpe:2.3:a:eclipse:jetty:9.2.0:maintenance_0:*:*:*:*:*:*
- cpe:2.3:a:eclipse:jetty:9.2.3:20140905:*:*:*:*:*:*
- cpe:2.3:a:eclipse:jetty:9.2.5:20141112:*:*:*:*:*:*
- cpe:2.3:a:eclipse:jetty:9.2.11:20150528:*:*:*:*:*:*
- cpe:2.3:a:eclipse:jetty:9.2.11:maintenance_0:*:*:*:*:*:*
- cpe:2.3:a:eclipse:jetty:9.2.16:20160414:*:*:*:*:*:*
- cpe:2.3:a:eclipse:jetty:9.2.18:20160721:*:*:*:*:*:*
- cpe:2.3:a:eclipse:jetty:9.2.23:20171218:*:*:*:*:*:*
- cpe:2.3:a:eclipse:jetty:9.2.25:20180606:*:*:*:*:*:*
- cpe:2.3:a:eclipse:jetty:9.4.12:20180830:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2019-10241
0.25%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 66 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2019-10241
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
4.3
|
MEDIUM | AV:N/AC:M/Au:N/C:N/I:P/A:N |
8.6
|
2.9
|
NIST | |
6.1
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
2.8
|
2.7
|
NIST |
CWE ids for CVE-2019-10241
-
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.Assigned by:
- emo@eclipse.org (Secondary)
- nvd@nist.gov (Primary)
References for CVE-2019-10241
-
https://www.oracle.com/security-alerts/cpuoct2020.html
Oracle Critical Patch Update Advisory - October 2020Patch;Third Party Advisory
-
https://security.netapp.com/advisory/ntap-20190509-0003/
April 2019 Eclipse Jetty Vulnerabilities in NetApp Products | NetApp Product SecurityThird Party Advisory
-
https://lists.apache.org/thread.html/d7c4a664a34853f57c2163ab562f39802df5cf809523ea40c97289c1@%3Cdev.kafka.apache.org%3E
[jira] [Created] (KAFKA-8308) Update jetty for security vulnerability CVE-2019-10241 - Pony MailMailing List;Third Party Advisory
-
https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
Page not found | OraclePatch;Third Party Advisory
-
https://lists.apache.org/thread.html/464892b514c029dfc0c8656a93e1c0de983c473df70fdadbd224e09f@%3Cjira.kafka.apache.org%3E
[jira] [Created] (KAFKA-8308) Update jetty for security vulnerability CVE-2019-10241 - Pony MailMailing List;Third Party Advisory
-
https://lists.apache.org/thread.html/bcfb37bfba7b3d7e9c7808b5e5a38a98d6bb714d52cf5162bdd48e32@%3Cjira.kafka.apache.org%3E
[jira] [Assigned] (KAFKA-8308) Update jetty for security vulnerability CVE-2019-10241 - Pony MailMailing List;Third Party Advisory
-
https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E
[jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities - Pony MailMailing List;Third Party Advisory
-
https://lists.apache.org/thread.html/8bff534863c7aaf09bb17c3d0532777258dd3a5c7ddda34198cc2742@%3Cdev.kafka.apache.org%3E
[jira] [Resolved] (KAFKA-8308) Update jetty for security vulnerability CVE-2019-10241 - Pony MailMailing List;Third Party Advisory
-
https://lists.debian.org/debian-lts-announce/2021/05/msg00016.html
[SECURITY] [DLA 2661-1] jetty9 security updateMailing List;Third Party Advisory
-
https://www.debian.org/security/2021/dsa-4949
Debian -- Security Information -- DSA-4949-1 jetty9Third Party Advisory
-
https://bugs.eclipse.org/bugs/show_bug.cgi?id=546121
546121 – (CVE-2019-10241) Jetty CVE Request: DefaultServlet / ResourceHandler XSSIssue Tracking;Vendor Advisory
-
https://lists.apache.org/thread.html/01e004c3f7c7365863a27e7038b7f32dae56ccf3a496b277c9b7f7b6@%3Cjira.kafka.apache.org%3E
[jira] [Resolved] (KAFKA-8308) Update jetty for security vulnerability CVE-2019-10241 - Pony MailMailing List;Third Party Advisory
-
https://lists.apache.org/thread.html/ac51944aef91dd5006b8510b0bef337adaccfe962fb90e7af9c22db4@%3Cissues.activemq.apache.org%3E
Pony Mail!Mailing List;Third Party Advisory
-
https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E
[jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities - Pony MailMailing List;Third Party Advisory
-
https://lists.apache.org/thread.html/053d9ce4d579b02203db18545fee5e33f35f2932885459b74d1e4272@%3Cissues.activemq.apache.org%3E
Mailing List;Third Party Advisory
Jump to