CVE-2018-12536 in Eclipse and Oracle Products
Published on June 27, 2018
In Eclipse Jetty Server, all 9.x versions, on webapps deployed using default Error Handling, when an intentionally bad query arrives that doesn't match a dynamic url-pattern, and is eventually handled by the DefaultServlet's static file serving, the bad characters can trigger a java.nio.file.InvalidPathException which includes the full path to the base resource directory that the DefaultServlet and/or webapp is using. If this InvalidPathException is then handled by the default Error Handler, the InvalidPathException message is included in the error response, revealing the full server path to the requesting system.
Weakness Type
Generation of Error Message Containing Sensitive Information
The software generates an error message that includes sensitive information about its environment, users, or associated data.
Products Associated with CVE-2018-12536
stack.watch emails you whenever new vulnerabilities are published in Eclipse Jetty or Oracle Retail Xstore Point Of Service. Just hit a watch button to start following.
Affected Versions
The Eclipse Foundation Eclipse Jetty:- Version unspecified, <= 9.2.0 is affected.
- Version 9.3.0 and below unspecified is affected.
- Version unspecified and below 9.3.24 is affected.
- Version 9.4.0 and below unspecified is affected.
- Version unspecified and below 9.4.11 is affected.
Exploit Probability
EPSS
1.52%
Percentile
81.06%
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.