Vulnerability Details : CVE-2019-10246
In Eclipse Jetty version 9.2.27, 9.3.26, and 9.4.16, the server running on Windows is vulnerable to exposure of the fully qualified Base Resource directory name on Windows to a remote client when it is configured for showing a Listing of directory contents. This information reveal is restricted to only the content in the configured base resource directories.
Vulnerability category: Information leak
Products affected by CVE-2019-10246
- cpe:2.3:a:oracle:retail_xstore_point_of_service:7.1:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:retail_xstore_point_of_service:15.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:retail_xstore_point_of_service:16.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:retail_xstore_point_of_service:17.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:enterprise_manager_base_platform:13.3:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:enterprise_manager_base_platform:13.2:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:flexcube_private_banking:12.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:flexcube_private_banking:12.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:data_integrator:12.2.1.3.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:data_integrator:12.2.1.4.0:*:*:*:*:*:*:*
- Oracle » Flexcube Core BankingVersions from including (>=) 11.5.0 and up to, including, (<=) 11.7.0cpe:2.3:a:oracle:flexcube_core_banking:*:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:flexcube_core_banking:5.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:hospitality_guest_access:4.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:hospitality_guest_access:4.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:endeca_information_discovery_integrator:3.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:communications_services_gatekeeper:6.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:communications_services_gatekeeper:6.1:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:communications_services_gatekeeper:7.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:rest_data_services:11.2.0.4:*:*:*:-:*:*:*
- cpe:2.3:a:oracle:rest_data_services:12.1.0.2:*:*:*:-:*:*:*
- cpe:2.3:a:oracle:rest_data_services:12.2.0.1:*:*:*:-:*:*:*
- cpe:2.3:a:oracle:rest_data_services:18c:*:*:*:-:*:*:*
- cpe:2.3:a:oracle:communications_element_manager:8.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:communications_element_manager:8.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:communications_element_manager:8.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:communications_element_manager:8.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:communications_session_report_manager:8.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:communications_session_report_manager:8.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:communications_session_report_manager:8.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:communications_session_report_manager:8.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:communications_session_route_manager:8.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:communications_session_route_manager:8.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:communications_session_route_manager:8.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:communications_session_route_manager:8.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:autovue:21.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:communications_analytics:12.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:unified_directory:12.2.1.3.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:unified_directory:12.2.1.4.0:*:*:*:*:*:*:*
- cpe:2.3:a:netapp:oncommand_system_manager:*:*:*:*:*:*:*:*
- cpe:2.3:a:netapp:snap_creator_framework:-:*:*:*:*:*:*:*
- cpe:2.3:a:netapp:snapmanager:-:-:*:*:*:oracle:*:*
- cpe:2.3:a:netapp:snapmanager:-:-:*:*:*:sap:*:*
- cpe:2.3:a:netapp:snapcenter:-:*:*:*:*:*:*:*
- cpe:2.3:a:netapp:virtual_storage_console:*:*:*:*:*:vmware_vsphere:*:*
- cpe:2.3:a:netapp:virtual_storage_console:9.6:*:*:*:*:*:*:*
- cpe:2.3:a:netapp:storage_services_connector:-:*:*:*:*:*:*:*
- Netapp » Storage Replication Adapter For Clustered Data Ontap » For Vmware VsphereVersions from including (>=) 9.6cpe:2.3:a:netapp:storage_replication_adapter_for_clustered_data_ontap:*:*:*:*:*:vmware_vsphere:*:*
- cpe:2.3:a:netapp:storage_replication_adapter_for_clustered_data_ontap:9.6:*:*:*:*:*:*:*
- cpe:2.3:a:netapp:vasa_provider_for_clustered_data_ontap:*:*:*:*:*:*:*:*
- cpe:2.3:a:netapp:vasa_provider_for_clustered_data_ontap:-:*:*:*:*:*:*:*
- cpe:2.3:o:netapp:element:-:*:*:*:*:vcenter_server:*:*
- cpe:2.3:a:eclipse:jetty:9.4.16:20190411:*:*:*:*:*:*
- cpe:2.3:a:eclipse:jetty:9.2.27:20190403:*:*:*:*:*:*
- cpe:2.3:a:eclipse:jetty:9.3.26:20190403:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2019-10246
1.52%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 87 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2019-10246
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:P/I:N/A:N |
10.0
|
2.9
|
NIST | |
5.3
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
3.9
|
1.4
|
NIST |
CWE ids for CVE-2019-10246
-
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.Assigned by: nvd@nist.gov (Primary)
-
The product's intended functionality exposes information to certain actors in accordance with the developer's security policy, but this information is regarded as sensitive according to the intended security policies of other stakeholders such as the product's administrator, users, or others whose information is being processed.Assigned by: emo@eclipse.org (Secondary)
References for CVE-2019-10246
-
https://www.oracle.com/security-alerts/cpujan2020.html
Oracle Critical Patch Update Advisory - January 2020Third Party Advisory
-
https://www.oracle.com/security-alerts/cpuoct2020.html
Oracle Critical Patch Update Advisory - October 2020Third Party Advisory
-
https://security.netapp.com/advisory/ntap-20190509-0003/
April 2019 Eclipse Jetty Vulnerabilities in NetApp Products | NetApp Product SecurityThird Party Advisory
-
https://www.oracle.com/security-alerts/cpuapr2020.html
Oracle Critical Patch Update Advisory - April 2020Third Party Advisory
-
https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
Page not found | OracleThird Party Advisory
-
https://www.oracle.com/security-alerts/cpujul2020.html
Oracle Critical Patch Update Advisory - July 2020Third Party Advisory
-
https://www.oracle.com/security-alerts/cpujan2021.html
Oracle Critical Patch Update Advisory - January 2021Third Party Advisory
-
https://www.oracle.com/security-alerts/cpuApr2021.html
Oracle Critical Patch Update Advisory - April 2021
-
https://lists.apache.org/thread.html/bcce5a9c532b386c68dab2f6b3ce8b0cc9b950ec551766e76391caa3@%3Ccommits.nifi.apache.org%3E
svn commit: r1869773 - /nifi/site/trunk/security.html - Pony MailMailing List;Third Party Advisory
-
https://bugs.eclipse.org/bugs/show_bug.cgi?id=546576
546576 – (CVE-2019-10246) Jetty CVE Request: Information Reveal - Windows Directory ListingsIssue Tracking;Vendor Advisory
-
https://lists.apache.org/thread.html/rca37935d661f4689cb4119f1b3b224413b22be161b678e6e6ce0c69b@%3Ccommits.nifi.apache.org%3E
svn commit: r1873083 - /nifi/site/trunk/security.html - Pony MailMailing List;Third Party Advisory
Jump to