CVE-2019-10241: XSS
First published: Mon Apr 22 2019(Updated: )
Eclipse Jetty is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the DefaultServlet and ResourceHandler. A remote attacker could exploit this vulnerability using a specially-crafted URL to execute script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials.
Credit: emo@eclipse.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| debian/jetty9 | 9.4.16-0+deb10u1 9.4.50-4+deb10u1 9.4.39-3+deb11u2 9.4.50-4+deb11u1 9.4.50-4+deb12u2 9.4.53-1 | |
| redhat/jetty | <9.2.27 | 9.2.27 |
| redhat/jetty | <9.3.26 | 9.3.26 |
| redhat/jetty | <9.4.16 | 9.4.16 |
| IBM Cognos Analytics | <=12.0.0-12.0.3 | |
| IBM Cognos Analytics | <=11.2.0-11.2.4 FP3 | |
| Mortbay Jetty | =9.2.0-20140523 | |
| Mortbay Jetty | =9.2.0-20140526 | |
| Mortbay Jetty | =9.2.0-maintenance_0 | |
| Mortbay Jetty | =9.2.0-maintenance_1 | |
| Mortbay Jetty | =9.2.0-rc0 | |
| Mortbay Jetty | =9.2.1-20140609 | |
| Mortbay Jetty | =9.2.2-20140723 | |
| Mortbay Jetty | =9.2.3-20140905 | |
| Mortbay Jetty | =9.2.4-20141103 | |
| Mortbay Jetty | =9.2.5-20141112 | |
| Mortbay Jetty | =9.2.6-20141203 | |
| Mortbay Jetty | =9.2.6-20141205 | |
| Mortbay Jetty | =9.2.7-20150116 | |
| Mortbay Jetty | =9.2.8-20150217 | |
| Mortbay Jetty | =9.2.9-20150224 | |
| Mortbay Jetty | =9.2.10-20150310 | |
| Mortbay Jetty | =9.2.11-20150528 | |
| Mortbay Jetty | =9.2.11-20150529 | |
| Mortbay Jetty | =9.2.11-maintenance_0 | |
| Mortbay Jetty | =9.2.12-20150709 | |
| Mortbay Jetty | =9.2.12-maintenance_0 | |
| Mortbay Jetty | =9.2.13-20150730 | |
| Mortbay Jetty | =9.2.14-20151106 | |
| Mortbay Jetty | =9.2.15-20160210 | |
| Mortbay Jetty | =9.2.16-20160407 | |
| Mortbay Jetty | =9.2.16-20160414 | |
| Mortbay Jetty | =9.2.17-20160517 | |
| Mortbay Jetty | =9.2.18-20160721 | |
| Mortbay Jetty | =9.2.19-20160908 | |
| Mortbay Jetty | =9.2.20-20161216 | |
| Mortbay Jetty | =9.2.21-20170120 | |
| Mortbay Jetty | =9.2.22-20170606 | |
| Mortbay Jetty | =9.2.23-20171218 | |
| Mortbay Jetty | =9.2.24-20180105 | |
| Mortbay Jetty | =9.2.25-20180606 | |
| Mortbay Jetty | =9.2.26-20180806 | |
| Mortbay Jetty | =9.3.0-20150601 | |
| Mortbay Jetty | =9.3.0-20150608 | |
| Mortbay Jetty | =9.3.0-20150612 | |
| Mortbay Jetty | =9.3.0-maintenance0 | |
| Mortbay Jetty | =9.3.0-maintenance1 | |
| Mortbay Jetty | =9.3.0-maintenance2 | |
| Mortbay Jetty | =9.3.0-rc0 | |
| Mortbay Jetty | =9.3.0-rc1 | |
| Mortbay Jetty | =9.3.1-20150714 | |
| Mortbay Jetty | =9.3.2-20150730 | |
| Mortbay Jetty | =9.3.3-20150825 | |
| Mortbay Jetty | =9.3.3-20150827 | |
| Mortbay Jetty | =9.3.4-20151005 | |
| Mortbay Jetty | =9.3.4-20151007 | |
| Mortbay Jetty | =9.3.4-rc0 | |
| Mortbay Jetty | =9.3.4-rc1 | |
| Mortbay Jetty | =9.3.5-20151012 | |
| Mortbay Jetty | =9.3.6-20151106 | |
| Mortbay Jetty | =9.3.7-20160115 | |
| Mortbay Jetty | =9.3.7-rc0 | |
| Mortbay Jetty | =9.3.7-rc1 | |
| Mortbay Jetty | =9.3.8-20160311 | |
| Mortbay Jetty | =9.3.8-20160314 | |
| Mortbay Jetty | =9.3.8-rc0 | |
| Mortbay Jetty | =9.3.9-20160517 | |
| Mortbay Jetty | =9.3.9-maintenance_0 | |
| Mortbay Jetty | =9.3.9-maintenance_1 | |
| Mortbay Jetty | =9.3.10-20160621 | |
| Mortbay Jetty | =9.3.10-maintenance_0 | |
| Mortbay Jetty | =9.3.11-20160721 | |
| Mortbay Jetty | =9.3.11-maintenance_0 | |
| Mortbay Jetty | =9.3.12-20160915 | |
| Mortbay Jetty | =9.3.13-20161014 | |
| Mortbay Jetty | =9.3.13-maintenance_0 | |
| Mortbay Jetty | =9.3.14-20161028 | |
| Mortbay Jetty | =9.3.15-20161220 | |
| Mortbay Jetty | =9.3.16-20170119 | |
| Mortbay Jetty | =9.3.16-20170120 | |
| Mortbay Jetty | =9.3.17-20170317 | |
| Mortbay Jetty | =9.3.17-rc0 | |
| Mortbay Jetty | =9.3.18-20170406 | |
| Mortbay Jetty | =9.3.19-20170502 | |
| Mortbay Jetty | =9.3.20-20170531 | |
| Mortbay Jetty | =9.3.21-20170918 | |
| Mortbay Jetty | =9.3.21-maintenance_0 | |
| Mortbay Jetty | =9.3.21-rc0 | |
| Mortbay Jetty | =9.3.22-20171030 | |
| Mortbay Jetty | =9.3.23-20180228 | |
| Mortbay Jetty | =9.3.24-20180605 | |
| Mortbay Jetty | =9.3.25-20180904 | |
| Mortbay Jetty | =9.4.0-20161207 | |
| Mortbay Jetty | =9.4.0-20161208 | |
| Mortbay Jetty | =9.4.0-20180619 | |
| Mortbay Jetty | =9.4.0-maintenance_0 | |
| Mortbay Jetty | =9.4.0-maintenance_1 | |
| Mortbay Jetty | =9.4.0-rc0 | |
| Mortbay Jetty | =9.4.0-rc1 | |
| Mortbay Jetty | =9.4.0-rc2 | |
| Mortbay Jetty | =9.4.0-rc3 | |
| Mortbay Jetty | =9.4.1-20170120 | |
| Mortbay Jetty | =9.4.1-20180619 | |
| Mortbay Jetty | =9.4.2-20170220 | |
| Mortbay Jetty | =9.4.2-20180619 | |
| Mortbay Jetty | =9.4.3-20170317 | |
| Mortbay Jetty | =9.4.3-20180619 | |
| Mortbay Jetty | =9.4.4-20170410 | |
| Mortbay Jetty | =9.4.4-20170414 | |
| Mortbay Jetty | =9.4.4-20180619 | |
| Mortbay Jetty | =9.4.5-20170502 | |
| Mortbay Jetty | =9.4.5-20180619 | |
| Mortbay Jetty | =9.4.6-20170531 | |
| Mortbay Jetty | =9.4.6-20180619 | |
| Mortbay Jetty | =9.4.7-20170914 | |
| Mortbay Jetty | =9.4.7-20180619 | |
| Mortbay Jetty | =9.4.7-rc0 | |
| Mortbay Jetty | =9.4.8-20171121 | |
| Mortbay Jetty | =9.4.8-20180619 | |
| Mortbay Jetty | =9.4.9-20180320 | |
| Mortbay Jetty | =9.4.10-20180503 | |
| Mortbay Jetty | =9.4.10-rc0 | |
| Mortbay Jetty | =9.4.10-rc1 | |
| Mortbay Jetty | =9.4.11-20180605 | |
| Mortbay Jetty | =9.4.12-20180830 | |
| Mortbay Jetty | =9.4.12-rc0 | |
| Mortbay Jetty | =9.4.12-rc1 | |
| Mortbay Jetty | =9.4.12-rc2 | |
| Mortbay Jetty | =9.4.13-20181111 | |
| Mortbay Jetty | =9.4.14-20181114 | |
| Mortbay Jetty | =9.4.15-20190215 | |
| Debian | =9.0 | |
| Debian | =10.0 | |
| Apache ActiveMQ | =5.15.9 | |
| Apache Drill | =1.16.0 | |
| Oracle FLEXCUBE Core Banking | >=11.5.0<=11.7.0 | |
| Oracle FLEXCUBE Core Banking | =5.2.0 | |
| Oracle REST Data Services | =11.2.0.4 | |
| Oracle REST Data Services | =12.1.0.2 | |
| Oracle REST Data Services | =12.2.0.1 | |
| Oracle REST Data Services | =18c | |
| Oracle Retail Xstore Office Cloud Service | =7.1 | |
| Oracle Retail Xstore Office Cloud Service | =15.0 | |
| Oracle Retail Xstore Office Cloud Service | =16.0 | |
| Oracle Retail Xstore Office Cloud Service | =17.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.cve.org/CVERecord?id=CVE-2019-10241 https://nvd.nist.gov/vuln/detail/CVE-2019-10241
- https://bugzilla.redhat.com/show_bug.cgi?id=1705924
- https://access.redhat.com/errata/RHSA-2020:0922
- https://access.redhat.com/errata/RHSA-2020:1445
- https://access.redhat.com/errata/RHSA-2020:0983
- https://access.redhat.com/security/cve/cve-2019-10241
- https://bugs.eclipse.org/bugs/show_bug.cgi?id=546121
- https://lists.apache.org/thread.html/01e004c3f7c7365863a27e7038b7f32dae56ccf3a496b277c9b7f7b6@%3Cjira.kafka.apache.org%3E
- https://lists.apache.org/thread.html/053d9ce4d579b02203db18545fee5e33f35f2932885459b74d1e4272@%3Cissues.activemq.apache.org%3E
- https://lists.apache.org/thread.html/464892b514c029dfc0c8656a93e1c0de983c473df70fdadbd224e09f@%3Cjira.kafka.apache.org%3E
- https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E
- https://lists.apache.org/thread.html/8bff534863c7aaf09bb17c3d0532777258dd3a5c7ddda34198cc2742@%3Cdev.kafka.apache.org%3E
- https://lists.apache.org/thread.html/ac51944aef91dd5006b8510b0bef337adaccfe962fb90e7af9c22db4@%3Cissues.activemq.apache.org%3E
- https://lists.apache.org/thread.html/bcfb37bfba7b3d7e9c7808b5e5a38a98d6bb714d52cf5162bdd48e32@%3Cjira.kafka.apache.org%3E
- https://lists.apache.org/thread.html/d7c4a664a34853f57c2163ab562f39802df5cf809523ea40c97289c1@%3Cdev.kafka.apache.org%3E
- https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E
- https://lists.debian.org/debian-lts-announce/2021/05/msg00016.html
- https://security.netapp.com/advisory/ntap-20190509-0003/
- https://www.debian.org/security/2021/dsa-4949
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
- https://github.com/eclipse/jetty.project/issues/3319#issuecomment-567918620
- https://security-tracker.debian.org/tracker/CVE-2019-10241
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1705925
- https://access.redhat.com/support/policy/updates/jboss_notes
- https://access.redhat.com/security/updates/classification/
- https://lists.apache.org/thread.html/464892b514c029dfc0c8656a93e1c0de983c473df70fdadbd224e09f%40%3Cjira.kafka.apache.org%3E
- https://lists.apache.org/thread.html/d7c4a664a34853f57c2163ab562f39802df5cf809523ea40c97289c1%40%3Cdev.kafka.apache.org%3E
- https://lists.apache.org/thread.html/bcfb37bfba7b3d7e9c7808b5e5a38a98d6bb714d52cf5162bdd48e32%40%3Cjira.kafka.apache.org%3E
- https://lists.apache.org/thread.html/01e004c3f7c7365863a27e7038b7f32dae56ccf3a496b277c9b7f7b6%40%3Cjira.kafka.apache.org%3E
- https://lists.apache.org/thread.html/8bff534863c7aaf09bb17c3d0532777258dd3a5c7ddda34198cc2742%40%3Cdev.kafka.apache.org%3E
- https://lists.apache.org/thread.html/ac51944aef91dd5006b8510b0bef337adaccfe962fb90e7af9c22db4%40%3Cissues.activemq.apache.org%3E
- https://lists.apache.org/thread.html/053d9ce4d579b02203db18545fee5e33f35f2932885459b74d1e4272%40%3Cissues.activemq.apache.org%3E
- https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3E
- https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3Cissues.drill.apache.org%3E
- https://www.ibm.com/support/pages/node/7173592 (Advisory)
Parent vulnerabilities
(Appears in the following advisories)
Frequently Asked Questions
What is the vulnerability ID for this Jetty vulnerability?
The vulnerability ID for this Jetty vulnerability is CVE-2019-10241.
What is the severity of CVE-2019-10241?
The severity of CVE-2019-10241 is medium.
How does the vulnerability in CVE-2019-10241 manifest?
The vulnerability in CVE-2019-10241 manifests as XSS (cross-site scripting) conditions when a remote client uses a specially formatted URL against the DefaultServlet or ResourceHandler that is configured for showing a Listing of directory contents.
Which versions of Eclipse Jetty are affected by CVE-2019-10241?
Eclipse Jetty version 9.2.26 and older, 9.3.25 and older, and 9.4.15 and older are affected by CVE-2019-10241.
How can I fix CVE-2019-10241?
To fix CVE-2019-10241, update to Jetty version 9.2.27 (or later), 9.3.26 (or later), or 9.4.16 (or later), depending on the version you are using.
- collector/redhat-cve
- collector/security-tracker-debian
- agent/type
- agent/remedy
- agent/first-publish-date
- agent/weakness
- agent/author
- agent/description
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2019-10241
- agent/software-canonical-lookup
- collector/mitre-cve
- source/MITRE
- agent/event
- agent/last-modified-date
- agent/references
- agent/severity
- agent/trending
- agent/source
- agent/tags
- agent/softwarecombine
- collector/ibm-support
- source/IBM
- agent/software-canonical-lookup-request
- collector/nvd-index
- package-manager/debian
- package-manager/redhat
- vendor/ibm
- canonical/ibm cognos analytics
- version/ibm cognos analytics/12.0.0-12.0.3
- version/ibm cognos analytics/11.2.0-11.2.4 fp3
- vendor/eclipse
- canonical/mortbay jetty
- version/mortbay jetty/9.2.0-20140523
- version/mortbay jetty/9.2.0-20140526
- version/mortbay jetty/9.2.0-maintenance_0
- version/mortbay jetty/9.2.0-maintenance_1
- version/mortbay jetty/9.2.0-rc0
- version/mortbay jetty/9.2.1-20140609
- version/mortbay jetty/9.2.2-20140723
- version/mortbay jetty/9.2.3-20140905
- version/mortbay jetty/9.2.4-20141103
- version/mortbay jetty/9.2.5-20141112
- version/mortbay jetty/9.2.6-20141203
- version/mortbay jetty/9.2.6-20141205
- version/mortbay jetty/9.2.7-20150116
- version/mortbay jetty/9.2.8-20150217
- version/mortbay jetty/9.2.9-20150224
- version/mortbay jetty/9.2.10-20150310
- version/mortbay jetty/9.2.11-20150528
- version/mortbay jetty/9.2.11-20150529
- version/mortbay jetty/9.2.11-maintenance_0
- version/mortbay jetty/9.2.12-20150709
- version/mortbay jetty/9.2.12-maintenance_0
- version/mortbay jetty/9.2.13-20150730
- version/mortbay jetty/9.2.14-20151106
- version/mortbay jetty/9.2.15-20160210
- version/mortbay jetty/9.2.16-20160407
- version/mortbay jetty/9.2.16-20160414
- version/mortbay jetty/9.2.17-20160517
- version/mortbay jetty/9.2.18-20160721
- version/mortbay jetty/9.2.19-20160908
- version/mortbay jetty/9.2.20-20161216
- version/mortbay jetty/9.2.21-20170120
- version/mortbay jetty/9.2.22-20170606
- version/mortbay jetty/9.2.23-20171218
- version/mortbay jetty/9.2.24-20180105
- version/mortbay jetty/9.2.25-20180606
- version/mortbay jetty/9.2.26-20180806
- version/mortbay jetty/9.3.0-20150601
- version/mortbay jetty/9.3.0-20150608
- version/mortbay jetty/9.3.0-20150612
- version/mortbay jetty/9.3.0-maintenance0
- version/mortbay jetty/9.3.0-maintenance1
- version/mortbay jetty/9.3.0-maintenance2
- version/mortbay jetty/9.3.0-rc0
- version/mortbay jetty/9.3.0-rc1
- version/mortbay jetty/9.3.1-20150714
- version/mortbay jetty/9.3.2-20150730
- version/mortbay jetty/9.3.3-20150825
- version/mortbay jetty/9.3.3-20150827
- version/mortbay jetty/9.3.4-20151005
- version/mortbay jetty/9.3.4-20151007
- version/mortbay jetty/9.3.4-rc0
- version/mortbay jetty/9.3.4-rc1
- version/mortbay jetty/9.3.5-20151012
- version/mortbay jetty/9.3.6-20151106
- version/mortbay jetty/9.3.7-20160115
- version/mortbay jetty/9.3.7-rc0
- version/mortbay jetty/9.3.7-rc1
- version/mortbay jetty/9.3.8-20160311
- version/mortbay jetty/9.3.8-20160314
- version/mortbay jetty/9.3.8-rc0
- version/mortbay jetty/9.3.9-20160517
- version/mortbay jetty/9.3.9-maintenance_0
- version/mortbay jetty/9.3.9-maintenance_1
- version/mortbay jetty/9.3.10-20160621
- version/mortbay jetty/9.3.10-maintenance_0
- version/mortbay jetty/9.3.11-20160721
- version/mortbay jetty/9.3.11-maintenance_0
- version/mortbay jetty/9.3.12-20160915
- version/mortbay jetty/9.3.13-20161014
- version/mortbay jetty/9.3.13-maintenance_0
- version/mortbay jetty/9.3.14-20161028
- version/mortbay jetty/9.3.15-20161220
- version/mortbay jetty/9.3.16-20170119
- version/mortbay jetty/9.3.16-20170120
- version/mortbay jetty/9.3.17-20170317
- version/mortbay jetty/9.3.17-rc0
- version/mortbay jetty/9.3.18-20170406
- version/mortbay jetty/9.3.19-20170502
- version/mortbay jetty/9.3.20-20170531
- version/mortbay jetty/9.3.21-20170918
- version/mortbay jetty/9.3.21-maintenance_0
- version/mortbay jetty/9.3.21-rc0
- version/mortbay jetty/9.3.22-20171030
- version/mortbay jetty/9.3.23-20180228
- version/mortbay jetty/9.3.24-20180605
- version/mortbay jetty/9.3.25-20180904
- version/mortbay jetty/9.4.0-20161207
- version/mortbay jetty/9.4.0-20161208
- version/mortbay jetty/9.4.0-20180619
- version/mortbay jetty/9.4.0-maintenance_0
- version/mortbay jetty/9.4.0-maintenance_1
- version/mortbay jetty/9.4.0-rc0
- version/mortbay jetty/9.4.0-rc1
- version/mortbay jetty/9.4.0-rc2
- version/mortbay jetty/9.4.0-rc3
- version/mortbay jetty/9.4.1-20170120
- version/mortbay jetty/9.4.1-20180619
- version/mortbay jetty/9.4.2-20170220
- version/mortbay jetty/9.4.2-20180619
- version/mortbay jetty/9.4.3-20170317
- version/mortbay jetty/9.4.3-20180619
- version/mortbay jetty/9.4.4-20170410
- version/mortbay jetty/9.4.4-20170414
- version/mortbay jetty/9.4.4-20180619
- version/mortbay jetty/9.4.5-20170502
- version/mortbay jetty/9.4.5-20180619
- version/mortbay jetty/9.4.6-20170531
- version/mortbay jetty/9.4.6-20180619
- version/mortbay jetty/9.4.7-20170914
- version/mortbay jetty/9.4.7-20180619
- version/mortbay jetty/9.4.7-rc0
- version/mortbay jetty/9.4.8-20171121
- version/mortbay jetty/9.4.8-20180619
- version/mortbay jetty/9.4.9-20180320
- version/mortbay jetty/9.4.10-20180503
- version/mortbay jetty/9.4.10-rc0
- version/mortbay jetty/9.4.10-rc1
- version/mortbay jetty/9.4.11-20180605
- version/mortbay jetty/9.4.12-20180830
- version/mortbay jetty/9.4.12-rc0
- version/mortbay jetty/9.4.12-rc1
- version/mortbay jetty/9.4.12-rc2
- version/mortbay jetty/9.4.13-20181111
- version/mortbay jetty/9.4.14-20181114
- version/mortbay jetty/9.4.15-20190215
- vendor/debian
- canonical/debian
- version/debian/9.0
- version/debian/10.0
- vendor/apache
- canonical/apache activemq
- version/apache activemq/5.15.9
- canonical/apache drill
- version/apache drill/1.16.0
- vendor/oracle
- canonical/oracle flexcube core banking
- version/oracle flexcube core banking/11.5.0
- version/oracle flexcube core banking/11.7.0
- version/oracle flexcube core banking/5.2.0
- canonical/oracle rest data services
- version/oracle rest data services/11.2.0.4
- version/oracle rest data services/12.1.0.2
- version/oracle rest data services/12.2.0.1
- version/oracle rest data services/18c
- canonical/oracle retail xstore office cloud service
- version/oracle retail xstore office cloud service/7.1
- version/oracle retail xstore office cloud service/15.0
- version/oracle retail xstore office cloud service/16.0
- version/oracle retail xstore office cloud service/17.0