CVE-2019-10247 vulnerability in Eclipse and Other Products
Published on April 22, 2019
In Eclipse Jetty version 7.x, 8.x, 9.2.27 and older, 9.3.26 and older, and 9.4.16 and older, the server running on any OS and Jetty version combination will reveal the configured fully qualified directory base resource location on the output of the 404 error for not finding a Context that matches the requested path. The default server behavior on jetty-distribution and jetty-home will include at the end of the Handler tree a DefaultHandler, which is responsible for reporting this 404 error, it presents the various configured contexts as HTML for users to click through to. This produced HTML includes output that contains the configured fully qualified directory base resource location for each context.
Weakness Type
Exposure of Sensitive Information Due to Incompatible Policies
The product's intended functionality exposes information to certain actors in accordance with the developer's security policy, but this information is regarded as sensitive according to the intended security policies of other stakeholders such as the product's administrator, users, or others whose information is being processed.
Products Associated with CVE-2019-10247
You can be notified by email with stack.watch whenever vulnerabilities like CVE-2019-10247 are published in these products:
Affected Versions
The Eclipse Foundation Eclipse Jetty:- Version 7.x is affected.
- Version 8.x is affected.
- Version unspecified, <= 9.2.27 is affected.
- Version unspecified, <= 9.3.26 is affected.
- Version unspecified, <= 9.4.16 is affected.
Exploit Probability
EPSS
6.48%
Percentile
90.89%
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.