First published: Mon Apr 22 2019(Updated: )
Eclipse Jetty is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the DefaultServlet and ResourceHandler. A remote attacker could exploit this vulnerability using a specially-crafted URL to execute script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials.
Credit: emo@eclipse.org
Affected Software | Affected Version | How to fix |
---|---|---|
Eclipse Jetty | =9.2.0-20140523 | |
Eclipse Jetty | =9.2.0-20140526 | |
Eclipse Jetty | =9.2.0-maintenance_0 | |
Eclipse Jetty | =9.2.0-maintenance_1 | |
Eclipse Jetty | =9.2.0-rc0 | |
Eclipse Jetty | =9.2.1-20140609 | |
Eclipse Jetty | =9.2.2-20140723 | |
Eclipse Jetty | =9.2.3-20140905 | |
Eclipse Jetty | =9.2.4-20141103 | |
Eclipse Jetty | =9.2.5-20141112 | |
Eclipse Jetty | =9.2.6-20141203 | |
Eclipse Jetty | =9.2.6-20141205 | |
Eclipse Jetty | =9.2.7-20150116 | |
Eclipse Jetty | =9.2.8-20150217 | |
Eclipse Jetty | =9.2.9-20150224 | |
Eclipse Jetty | =9.2.10-20150310 | |
Eclipse Jetty | =9.2.11-20150528 | |
Eclipse Jetty | =9.2.11-20150529 | |
Eclipse Jetty | =9.2.11-maintenance_0 | |
Eclipse Jetty | =9.2.12-20150709 | |
Eclipse Jetty | =9.2.12-maintenance_0 | |
Eclipse Jetty | =9.2.13-20150730 | |
Eclipse Jetty | =9.2.14-20151106 | |
Eclipse Jetty | =9.2.15-20160210 | |
Eclipse Jetty | =9.2.16-20160407 | |
Eclipse Jetty | =9.2.16-20160414 | |
Eclipse Jetty | =9.2.17-20160517 | |
Eclipse Jetty | =9.2.18-20160721 | |
Eclipse Jetty | =9.2.19-20160908 | |
Eclipse Jetty | =9.2.20-20161216 | |
Eclipse Jetty | =9.2.21-20170120 | |
Eclipse Jetty | =9.2.22-20170606 | |
Eclipse Jetty | =9.2.23-20171218 | |
Eclipse Jetty | =9.2.24-20180105 | |
Eclipse Jetty | =9.2.25-20180606 | |
Eclipse Jetty | =9.2.26-20180806 | |
Eclipse Jetty | =9.3.0-20150601 | |
Eclipse Jetty | =9.3.0-20150608 | |
Eclipse Jetty | =9.3.0-20150612 | |
Eclipse Jetty | =9.3.0-maintenance0 | |
Eclipse Jetty | =9.3.0-maintenance1 | |
Eclipse Jetty | =9.3.0-maintenance2 | |
Eclipse Jetty | =9.3.0-rc0 | |
Eclipse Jetty | =9.3.0-rc1 | |
Eclipse Jetty | =9.3.1-20150714 | |
Eclipse Jetty | =9.3.2-20150730 | |
Eclipse Jetty | =9.3.3-20150825 | |
Eclipse Jetty | =9.3.3-20150827 | |
Eclipse Jetty | =9.3.4-20151005 | |
Eclipse Jetty | =9.3.4-20151007 | |
Eclipse Jetty | =9.3.4-rc0 | |
Eclipse Jetty | =9.3.4-rc1 | |
Eclipse Jetty | =9.3.5-20151012 | |
Eclipse Jetty | =9.3.6-20151106 | |
Eclipse Jetty | =9.3.7-20160115 | |
Eclipse Jetty | =9.3.7-rc0 | |
Eclipse Jetty | =9.3.7-rc1 | |
Eclipse Jetty | =9.3.8-20160311 | |
Eclipse Jetty | =9.3.8-20160314 | |
Eclipse Jetty | =9.3.8-rc0 | |
Eclipse Jetty | =9.3.9-20160517 | |
Eclipse Jetty | =9.3.9-maintenance_0 | |
Eclipse Jetty | =9.3.9-maintenance_1 | |
Eclipse Jetty | =9.3.10-20160621 | |
Eclipse Jetty | =9.3.10-maintenance_0 | |
Eclipse Jetty | =9.3.11-20160721 | |
Eclipse Jetty | =9.3.11-maintenance_0 | |
Eclipse Jetty | =9.3.12-20160915 | |
Eclipse Jetty | =9.3.13-20161014 | |
Eclipse Jetty | =9.3.13-maintenance_0 | |
Eclipse Jetty | =9.3.14-20161028 | |
Eclipse Jetty | =9.3.15-20161220 | |
Eclipse Jetty | =9.3.16-20170119 | |
Eclipse Jetty | =9.3.16-20170120 | |
Eclipse Jetty | =9.3.17-20170317 | |
Eclipse Jetty | =9.3.17-rc0 | |
Eclipse Jetty | =9.3.18-20170406 | |
Eclipse Jetty | =9.3.19-20170502 | |
Eclipse Jetty | =9.3.20-20170531 | |
Eclipse Jetty | =9.3.21-20170918 | |
Eclipse Jetty | =9.3.21-maintenance_0 | |
Eclipse Jetty | =9.3.21-rc0 | |
Eclipse Jetty | =9.3.22-20171030 | |
Eclipse Jetty | =9.3.23-20180228 | |
Eclipse Jetty | =9.3.24-20180605 | |
Eclipse Jetty | =9.3.25-20180904 | |
Eclipse Jetty | =9.4.0-20161207 | |
Eclipse Jetty | =9.4.0-20161208 | |
Eclipse Jetty | =9.4.0-20180619 | |
Eclipse Jetty | =9.4.0-maintenance_0 | |
Eclipse Jetty | =9.4.0-maintenance_1 | |
Eclipse Jetty | =9.4.0-rc0 | |
Eclipse Jetty | =9.4.0-rc1 | |
Eclipse Jetty | =9.4.0-rc2 | |
Eclipse Jetty | =9.4.0-rc3 | |
Eclipse Jetty | =9.4.1-20170120 | |
Eclipse Jetty | =9.4.1-20180619 | |
Eclipse Jetty | =9.4.2-20170220 | |
Eclipse Jetty | =9.4.2-20180619 | |
Eclipse Jetty | =9.4.3-20170317 | |
Eclipse Jetty | =9.4.3-20180619 | |
Eclipse Jetty | =9.4.4-20170410 | |
Eclipse Jetty | =9.4.4-20170414 | |
Eclipse Jetty | =9.4.4-20180619 | |
Eclipse Jetty | =9.4.5-20170502 | |
Eclipse Jetty | =9.4.5-20180619 | |
Eclipse Jetty | =9.4.6-20170531 | |
Eclipse Jetty | =9.4.6-20180619 | |
Eclipse Jetty | =9.4.7-20170914 | |
Eclipse Jetty | =9.4.7-20180619 | |
Eclipse Jetty | =9.4.7-rc0 | |
Eclipse Jetty | =9.4.8-20171121 | |
Eclipse Jetty | =9.4.8-20180619 | |
Eclipse Jetty | =9.4.9-20180320 | |
Eclipse Jetty | =9.4.10-20180503 | |
Eclipse Jetty | =9.4.10-rc0 | |
Eclipse Jetty | =9.4.10-rc1 | |
Eclipse Jetty | =9.4.11-20180605 | |
Eclipse Jetty | =9.4.12-20180830 | |
Eclipse Jetty | =9.4.12-rc0 | |
Eclipse Jetty | =9.4.12-rc1 | |
Eclipse Jetty | =9.4.12-rc2 | |
Eclipse Jetty | =9.4.13-20181111 | |
Eclipse Jetty | =9.4.14-20181114 | |
Eclipse Jetty | =9.4.15-20190215 | |
Debian Debian Linux | =9.0 | |
Debian Debian Linux | =10.0 | |
Apache ActiveMQ | =5.15.9 | |
Apache Drill | =1.16.0 | |
Oracle FLEXCUBE Core Banking | >=11.5.0<=11.7.0 | |
Oracle FLEXCUBE Core Banking | =5.2.0 | |
Oracle REST Data Services | =11.2.0.4 | |
Oracle REST Data Services | =12.1.0.2 | |
Oracle REST Data Services | =12.2.0.1 | |
Oracle REST Data Services | =18c | |
Oracle Retail Xstore Point of Service | =7.1 | |
Oracle Retail Xstore Point of Service | =15.0 | |
Oracle Retail Xstore Point of Service | =16.0 | |
Oracle Retail Xstore Point of Service | =17.0 | |
debian/jetty9 | 9.4.16-0+deb10u1 9.4.50-4+deb10u1 9.4.39-3+deb11u2 9.4.50-4+deb11u1 9.4.50-4+deb12u2 9.4.53-1 | |
redhat/jetty | <9.2.27 | 9.2.27 |
redhat/jetty | <9.3.26 | 9.3.26 |
redhat/jetty | <9.4.16 | 9.4.16 |
IBM Cognos Analytics | <=12.0.0-12.0.3 | |
IBM Cognos Analytics | <=11.2.0-11.2.4 FP3 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
(Appears in the following advisories)
The vulnerability ID for this Jetty vulnerability is CVE-2019-10241.
The severity of CVE-2019-10241 is medium.
The vulnerability in CVE-2019-10241 manifests as XSS (cross-site scripting) conditions when a remote client uses a specially formatted URL against the DefaultServlet or ResourceHandler that is configured for showing a Listing of directory contents.
Eclipse Jetty version 9.2.26 and older, 9.3.25 and older, and 9.4.15 and older are affected by CVE-2019-10241.
To fix CVE-2019-10241, update to Jetty version 9.2.27 (or later), 9.3.26 (or later), or 9.4.16 (or later), depending on the version you are using.