CVE-2019-10246: Infoleak
First published: Mon Apr 22 2019(Updated: )
Eclipse Jetty could allow a remote attacker to obtain sensitive information, caused by a flaw when configured for showing a listing of directory contents. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to obtain sensitive information.
Credit: emo@eclipse.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Eclipse Jetty | =9.2.27-20190403 | |
| Eclipse Jetty | =9.3.26-20190403 | |
| Eclipse Jetty | =9.4.16-20190411 | |
| Microsoft Windows | ||
| NetApp OnCommand System Manager | >=3.0<=3.1.3 | |
| NetApp Snap Creator Framework | ||
| NetApp SnapCenter | ||
| netapp snapmanager Oracle | ||
| netapp snapmanager sap | ||
| NetApp Storage Replication Adapter for Clustered Data ONTAP for VMware vSphere | >=9.6 | |
| NetApp Storage Replication Adapter | =9.6 | |
| NetApp Storage Services Connector | ||
| NetApp VASA Provider | >=9.6 | |
| NetApp VASA Provider | ||
| NetApp Virtual Storage Console for VMware vSphere | >=9.6 | |
| NetApp Virtual Storage Console | =9.6 | |
| NetApp Element Plug-in for vCenter Server | ||
| Oracle AutoVue | =21.0.2 | |
| oracle communications analytics | =12.1.1 | |
| oracle communications element manager | =8.0.0 | |
| oracle communications element manager | =8.1.0 | |
| oracle communications element manager | =8.1.1 | |
| oracle communications element manager | =8.2.0 | |
| Oracle Communications Services Gatekeeper | =6.0 | |
| Oracle Communications Services Gatekeeper | =6.1 | |
| Oracle Communications Services Gatekeeper | =7.0 | |
| oracle communications session report manager | =8.0.0 | |
| oracle communications session report manager | =8.1.0 | |
| oracle communications session report manager | =8.1.1 | |
| oracle communications session report manager | =8.2.0 | |
| oracle communications session route manager | =8.0.0 | |
| oracle communications session route manager | =8.1.0 | |
| oracle communications session route manager | =8.1.1 | |
| oracle communications session route manager | =8.2.0 | |
| Oracle Data Integrator | =12.2.1.3.0 | |
| Oracle Data Integrator | =12.2.1.4.0 | |
| Oracle Endeca Information Discovery Integrator | =3.2.0 | |
| Oracle Enterprise Manager Base Platform | =13.2 | |
| Oracle Enterprise Manager Base Platform | =13.3 | |
| Oracle FLEXCUBE Core Banking | >=11.5.0<=11.7.0 | |
| Oracle FLEXCUBE Core Banking | =5.2.0 | |
| Oracle FLEXCUBE Private Banking | =12.0.0 | |
| Oracle FLEXCUBE Private Banking | =12.1.0 | |
| Oracle Hospitality Guest Access | =4.2.0 | |
| Oracle Hospitality Guest Access | =4.2.1 | |
| Oracle REST Data Services | =11.2.0.4 | |
| Oracle REST Data Services | =12.1.0.2 | |
| Oracle REST Data Services | =12.2.0.1 | |
| Oracle REST Data Services | =18c | |
| Oracle Retail Xstore Office Cloud Service | =7.1 | |
| Oracle Retail Xstore Office Cloud Service | =15.0 | |
| Oracle Retail Xstore Office Cloud Service | =16.0 | |
| Oracle Retail Xstore Office Cloud Service | =17.0 | |
| Oracle Unified Directory | =12.2.1.3.0 | |
| Oracle Unified Directory | =12.2.1.4.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://bugs.eclipse.org/bugs/show_bug.cgi?id=546576
- https://lists.apache.org/thread.html/bcce5a9c532b386c68dab2f6b3ce8b0cc9b950ec551766e76391caa3@%3Ccommits.nifi.apache.org%3E
- https://lists.apache.org/thread.html/rca37935d661f4689cb4119f1b3b224413b22be161b678e6e6ce0c69b@%3Ccommits.nifi.apache.org%3E
- https://security.netapp.com/advisory/ntap-20190509-0003/
- https://www.oracle.com/security-alerts/cpuApr2021.html
- https://www.oracle.com/security-alerts/cpuapr2020.html
- https://www.oracle.com/security-alerts/cpujan2020.html
- https://www.oracle.com/security-alerts/cpujan2021.html
- https://www.oracle.com/security-alerts/cpujul2020.html
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
- https://exchange.xforce.ibmcloud.com/vulnerabilities/160611
- https://www.ibm.com/support/pages/node/6466729 (Advisory)
- https://lists.apache.org/thread.html/bcce5a9c532b386c68dab2f6b3ce8b0cc9b950ec551766e76391caa3%40%3Ccommits.nifi.apache.org%3E
- https://lists.apache.org/thread.html/rca37935d661f4689cb4119f1b3b224413b22be161b678e6e6ce0c69b%40%3Ccommits.nifi.apache.org%3E
Frequently Asked Questions
What is the vulnerability ID for this Eclipse Jetty vulnerability?
The vulnerability ID for this Eclipse Jetty vulnerability is CVE-2019-10246.
What is the severity level of CVE-2019-10246?
The severity level of CVE-2019-10246 is medium (5.3).
Which software versions are affected by CVE-2019-10246?
Eclipse Jetty versions 9.2.27, 9.3.26, and 9.4.16 are affected by CVE-2019-10246.
How can a remote attacker exploit this vulnerability in Eclipse Jetty?
A remote attacker can exploit this vulnerability in Eclipse Jetty to obtain sensitive information by exposing the fully qualified Base Resource directory name on Windows to a remote client when the server is configured for showing a Listing of directory contents.
Are Windows servers vulnerable to CVE-2019-10246?
No, Windows servers are not vulnerable to CVE-2019-10246.
- agent/type
- agent/author
- agent/weakness
- agent/severity
- agent/description
- collector/ibm-support
- source/IBM
- collector/mitre-cve
- source/MITRE
- agent/references
- agent/last-modified-date
- agent/first-publish-date
- agent/event
- agent/trending
- agent/source
- agent/tags
- agent/softwarecombine
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/eclipse
- canonical/eclipse jetty
- version/eclipse jetty/9.2.27-20190403
- version/eclipse jetty/9.3.26-20190403
- version/eclipse jetty/9.4.16-20190411
- vendor/microsoft
- canonical/microsoft windows
- vendor/netapp
- canonical/netapp oncommand system manager
- version/netapp oncommand system manager/3.0
- version/netapp oncommand system manager/3.1.3
- canonical/netapp snap creator framework
- canonical/netapp snapcenter
- canonical/netapp snapmanager oracle
- canonical/netapp snapmanager sap
- canonical/netapp storage replication adapter for clustered data ontap for vmware vsphere
- version/netapp storage replication adapter for clustered data ontap for vmware vsphere/9.6
- canonical/netapp storage replication adapter
- version/netapp storage replication adapter/9.6
- canonical/netapp storage services connector
- canonical/netapp vasa provider
- version/netapp vasa provider/9.6
- canonical/netapp virtual storage console for vmware vsphere
- version/netapp virtual storage console for vmware vsphere/9.6
- canonical/netapp virtual storage console
- version/netapp virtual storage console/9.6
- canonical/netapp element plug-in for vcenter server
- vendor/oracle
- canonical/oracle autovue
- version/oracle autovue/21.0.2
- canonical/oracle communications analytics
- version/oracle communications analytics/12.1.1
- canonical/oracle communications element manager
- version/oracle communications element manager/8.0.0
- version/oracle communications element manager/8.1.0
- version/oracle communications element manager/8.1.1
- version/oracle communications element manager/8.2.0
- canonical/oracle communications services gatekeeper
- version/oracle communications services gatekeeper/6.0
- version/oracle communications services gatekeeper/6.1
- version/oracle communications services gatekeeper/7.0
- canonical/oracle communications session report manager
- version/oracle communications session report manager/8.0.0
- version/oracle communications session report manager/8.1.0
- version/oracle communications session report manager/8.1.1
- version/oracle communications session report manager/8.2.0
- canonical/oracle communications session route manager
- version/oracle communications session route manager/8.0.0
- version/oracle communications session route manager/8.1.0
- version/oracle communications session route manager/8.1.1
- version/oracle communications session route manager/8.2.0
- canonical/oracle data integrator
- version/oracle data integrator/12.2.1.3.0
- version/oracle data integrator/12.2.1.4.0
- canonical/oracle endeca information discovery integrator
- version/oracle endeca information discovery integrator/3.2.0
- canonical/oracle enterprise manager base platform
- version/oracle enterprise manager base platform/13.2
- version/oracle enterprise manager base platform/13.3
- canonical/oracle flexcube core banking
- version/oracle flexcube core banking/11.5.0
- version/oracle flexcube core banking/11.7.0
- version/oracle flexcube core banking/5.2.0
- canonical/oracle flexcube private banking
- version/oracle flexcube private banking/12.0.0
- version/oracle flexcube private banking/12.1.0
- canonical/oracle hospitality guest access
- version/oracle hospitality guest access/4.2.0
- version/oracle hospitality guest access/4.2.1
- canonical/oracle rest data services
- version/oracle rest data services/11.2.0.4
- version/oracle rest data services/12.1.0.2
- version/oracle rest data services/12.2.0.1
- version/oracle rest data services/18c
- canonical/oracle retail xstore office cloud service
- version/oracle retail xstore office cloud service/7.1
- version/oracle retail xstore office cloud service/15.0
- version/oracle retail xstore office cloud service/16.0
- version/oracle retail xstore office cloud service/17.0
- canonical/oracle unified directory
- version/oracle unified directory/12.2.1.3.0
- version/oracle unified directory/12.2.1.4.0