CVE-2019-10246 in NetApp and Oracle Products
Published on April 22, 2019

In Eclipse Jetty version 9.2.27, 9.3.26, and 9.4.16, the server running on Windows is vulnerable to exposure of the fully qualified Base Resource directory name on Windows to a remote client when it is configured for showing a Listing of directory contents. This information reveal is restricted to only the content in the configured base resource directories.

NVD

Weakness Type

Exposure of Sensitive Information Due to Incompatible Policies

The product's intended functionality exposes information to certain actors in accordance with the developer's security policy, but this information is regarded as sensitive according to the intended security policies of other stakeholders such as the product's administrator, users, or others whose information is being processed.

Products Associated with CVE-2019-10246

You can be notified by email with stack.watch whenever vulnerabilities like CVE-2019-10246 are published in these products:

NetApp Oncommand System Manager

NetApp Snapcenter

NetApp Snapmanager

NetApp Snap Creator Framework

NetApp Virtual Storage Console

Oracle Data Integrator

Oracle Endeca Information Discovery Integrator

Oracle Enterprise Manager Base Platform

Oracle Hospitality Guest Access

Oracle Rest Data Services

Oracle Retail Xstore Point Of Service

NetApp Storage Replication Adapter Clustered Data Ontap

NetApp Storage Services Connector

NetApp Vasa Provider Clustered Data Ontap

NetApp Element

Oracle Autovue

Oracle Communications Analytics

Oracle Communications Element Manager

Oracle Communications Services Gatekeeper

Oracle Communications Session Report Manager

Oracle Flexcube Private Banking

Oracle Flexcube Core Banking

Oracle Communications Session Route Manager

Oracle Unified Directory

Affected Versions

The Eclipse Foundation Eclipse Jetty:

Version 9.2.27 is affected.
Version 9.3.26 is affected.
Version 9.4.16 is affected.

Exploit Probability

EPSS

2.63%

Percentile

85.40%