CVE-2019-10241

In Eclipse Jetty version 9.2.26 and older, 9.3.25 and older, and 9.4.15 and older, the server is vulnerable to XSS conditions if a remote client USES a specially formatted URL against the DefaultServlet or ResourceHandler that is configured for showing a Listing of directory contents.

Published: Apr 22, 2019
Updated: Nov 8, 2023
CVE: CVE-2019-10241
GHSA: GHSA-7vx9-xjhr-rw6h
Severity: Medium
Exploit:

CVSS v3:

Severity: Medium
Score: 6.1
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CVSS v2:

Severity: Low
Score: 4.3
AV:N/AC:M/Au:N/C:N/I:P/A:N

CWEs:

CWE-79

OWASP TOP 10:

A7 - Cross-Site Scripting (XSS)

Affected Software
References

Software	From	Fixed in
eclipse / jetty	9.3.0-rc0	9.3.0-rc0.x
eclipse / jetty	9.3.4-rc1	9.3.4-rc1.x
eclipse / jetty	9.3.4-rc0	9.3.4-rc0.x
eclipse / jetty	9.3.0-rc1	9.3.0-rc1.x
eclipse / jetty	9.3.7-rc0	9.3.7-rc0.x
eclipse / jetty	9.3.8-rc0	9.3.8-rc0.x
eclipse / jetty	9.3.7-rc1	9.3.7-rc1.x
eclipse / jetty	9.3.0-20150601	9.3.0-20150601.x
eclipse / jetty	9.3.0-20150608	9.3.0-20150608.x
eclipse / jetty	9.3.0-20150612	9.3.0-20150612.x
eclipse / jetty	9.3.1-20150714	9.3.1-20150714.x
eclipse / jetty	9.3.2-20150730	9.3.2-20150730.x
eclipse / jetty	9.3.3-20150825	9.3.3-20150825.x
eclipse / jetty	9.3.3-20150827	9.3.3-20150827.x
eclipse / jetty	9.3.4-20151007	9.3.4-20151007.x
eclipse / jetty	9.3.4-20151005	9.3.4-20151005.x
eclipse / jetty	9.3.5-20151012	9.3.5-20151012.x
eclipse / jetty	9.3.6-20151106	9.3.6-20151106.x
eclipse / jetty	9.3.7-20160115	9.3.7-20160115.x
eclipse / jetty	9.3.8-20160311	9.3.8-20160311.x
eclipse / jetty	9.3.8-20160314	9.3.8-20160314.x
eclipse / jetty	9.3.9-20160517	9.3.9-20160517.x
eclipse / jetty	9.3.9-maintenance_0	9.3.9-maintenance_0.x
eclipse / jetty	9.3.9-maintenance_1	9.3.9-maintenance_1.x
eclipse / jetty	9.3.10-20160621	9.3.10-20160621.x
eclipse / jetty	9.3.10-maintenance_0	9.3.10-maintenance_0.x
eclipse / jetty	9.3.11-20160721	9.3.11-20160721.x
eclipse / jetty	9.3.11-maintenance_0	9.3.11-maintenance_0.x
eclipse / jetty	9.3.12-20160915	9.3.12-20160915.x
eclipse / jetty	9.3.13-20161014	9.3.13-20161014.x
eclipse / jetty	9.3.13-maintenance_0	9.3.13-maintenance_0.x
eclipse / jetty	9.3.14-20161028	9.3.14-20161028.x
eclipse / jetty	9.3.15-20161220	9.3.15-20161220.x
eclipse / jetty	9.3.16-20170119	9.3.16-20170119.x
eclipse / jetty	9.3.16-20170120	9.3.16-20170120.x
eclipse / jetty	9.3.17-20170317	9.3.17-20170317.x
eclipse / jetty	9.3.17-rc0	9.3.17-rc0.x
eclipse / jetty	9.3.18-20170406	9.3.18-20170406.x
eclipse / jetty	9.3.19-20170502	9.3.19-20170502.x
eclipse / jetty	9.3.20-20170531	9.3.20-20170531.x
eclipse / jetty	9.3.21-maintenance_0	9.3.21-maintenance_0.x
eclipse / jetty	9.3.21-rc0	9.3.21-rc0.x
eclipse / jetty	9.3.21-20170918	9.3.21-20170918.x
eclipse / jetty	9.3.22-20171030	9.3.22-20171030.x
eclipse / jetty	9.3.23-20180228	9.3.23-20180228.x
eclipse / jetty	9.3.24-20180605	9.3.24-20180605.x
eclipse / jetty	9.3.25-20180904	9.3.25-20180904.x
eclipse / jetty	9.4.0-maintenance_0	9.4.0-maintenance_0.x
eclipse / jetty	9.4.0-maintenance_1	9.4.0-maintenance_1.x
eclipse / jetty	9.4.0-rc0	9.4.0-rc0.x
eclipse / jetty	9.4.0-rc1	9.4.0-rc1.x
eclipse / jetty	9.4.0-rc2	9.4.0-rc2.x
eclipse / jetty	9.4.0-rc3	9.4.0-rc3.x
eclipse / jetty	9.4.0-20161207	9.4.0-20161207.x
eclipse / jetty	9.4.0-20161208	9.4.0-20161208.x
eclipse / jetty	9.4.0-20180619	9.4.0-20180619.x
eclipse / jetty	9.4.1-20170120	9.4.1-20170120.x
eclipse / jetty	9.4.1-20180619	9.4.1-20180619.x
eclipse / jetty	9.4.2-20170220	9.4.2-20170220.x
eclipse / jetty	9.4.2-20180619	9.4.2-20180619.x
eclipse / jetty	9.4.3-20170317	9.4.3-20170317.x
eclipse / jetty	9.4.3-20180619	9.4.3-20180619.x
eclipse / jetty	9.4.4-20170410	9.4.4-20170410.x
eclipse / jetty	9.4.4-20170414	9.4.4-20170414.x
eclipse / jetty	9.4.4-20180619	9.4.4-20180619.x
eclipse / jetty	9.4.5-20170502	9.4.5-20170502.x
eclipse / jetty	9.4.5-20180619	9.4.5-20180619.x
eclipse / jetty	9.4.6-20170531	9.4.6-20170531.x
eclipse / jetty	9.4.6-20180619	9.4.6-20180619.x
eclipse / jetty	9.4.7-20170914	9.4.7-20170914.x
eclipse / jetty	9.4.7-20180619	9.4.7-20180619.x
eclipse / jetty	9.4.7-rc0	9.4.7-rc0.x
eclipse / jetty	9.4.8-20171121	9.4.8-20171121.x
eclipse / jetty	9.4.8-20180619	9.4.8-20180619.x
eclipse / jetty	9.4.9-20180320	9.4.9-20180320.x
eclipse / jetty	9.4.10-20180503	9.4.10-20180503.x
eclipse / jetty	9.4.10-rc0	9.4.10-rc0.x
eclipse / jetty	9.4.10-rc1	9.4.10-rc1.x
eclipse / jetty	9.4.11-20180605	9.4.11-20180605.x
eclipse / jetty	9.4.12-20180830	9.4.12-20180830.x
eclipse / jetty	9.4.12-rc0	9.4.12-rc0.x
eclipse / jetty	9.4.12-rc1	9.4.12-rc1.x
eclipse / jetty	9.4.12-rc2	9.4.12-rc2.x
eclipse / jetty	9.4.13-20181111	9.4.13-20181111.x
eclipse / jetty	9.4.14-20181114	9.4.14-20181114.x
eclipse / jetty	9.4.15-20190215	9.4.15-20190215.x
eclipse / jetty	9.2.9-20150224	9.2.9-20150224.x
eclipse / jetty	9.2.8-20150217	9.2.8-20150217.x
eclipse / jetty	9.2.7-20150116	9.2.7-20150116.x
eclipse / jetty	9.2.6-20141205	9.2.6-20141205.x
eclipse / jetty	9.2.6-20141203	9.2.6-20141203.x
eclipse / jetty	9.2.5-20141112	9.2.5-20141112.x
eclipse / jetty	9.2.4-20141103	9.2.4-20141103.x
eclipse / jetty	9.2.3-20140905	9.2.3-20140905.x
eclipse / jetty	9.2.0-20140523	9.2.0-20140523.x
eclipse / jetty	9.2.0-20140526	9.2.0-20140526.x
eclipse / jetty	9.2.0-maintenance_0	9.2.0-maintenance_0.x
eclipse / jetty	9.2.0-maintenance_1	9.2.0-maintenance_1.x
eclipse / jetty	9.2.0-rc0	9.2.0-rc0.x
eclipse / jetty	9.2.1-20140609	9.2.1-20140609.x
eclipse / jetty	9.2.2-20140723	9.2.2-20140723.x
eclipse / jetty	9.2.10-20150310	9.2.10-20150310.x
eclipse / jetty	9.2.11-20150528	9.2.11-20150528.x
eclipse / jetty	9.2.11-20150529	9.2.11-20150529.x
eclipse / jetty	9.2.11-maintenance_0	9.2.11-maintenance_0.x
eclipse / jetty	9.2.12-20150709	9.2.12-20150709.x
eclipse / jetty	9.2.12-maintenance_0	9.2.12-maintenance_0.x
eclipse / jetty	9.2.13-20150730	9.2.13-20150730.x
eclipse / jetty	9.2.14-20151106	9.2.14-20151106.x
eclipse / jetty	9.2.15-20160210	9.2.15-20160210.x
eclipse / jetty	9.2.16-20160407	9.2.16-20160407.x
eclipse / jetty	9.2.16-20160414	9.2.16-20160414.x
eclipse / jetty	9.2.17-20160517	9.2.17-20160517.x
eclipse / jetty	9.2.18-20160721	9.2.18-20160721.x
eclipse / jetty	9.2.19-20160908	9.2.19-20160908.x
eclipse / jetty	9.2.20-20161216	9.2.20-20161216.x
eclipse / jetty	9.2.21-20170120	9.2.21-20170120.x
eclipse / jetty	9.2.22-20170606	9.2.22-20170606.x
eclipse / jetty	9.2.23-20171218	9.2.23-20171218.x
eclipse / jetty	9.2.24-20180105	9.2.24-20180105.x
eclipse / jetty	9.2.25-20180606	9.2.25-20180606.x
eclipse / jetty	9.2.26-20180806	9.2.26-20180806.x
eclipse / jetty	9.3.0-maintenance2	9.3.0-maintenance2.x
eclipse / jetty	9.3.0-maintenance0	9.3.0-maintenance0.x
eclipse / jetty	9.3.0-maintenance1	9.3.0-maintenance1.x
debian / debian_linux	9.0	9.0.x
debian / debian_linux	10.0	10.0.x
apache / drill	1.16.0	1.16.0.x
apache / activemq	5.15.9	5.15.9.x
oracle / retail_xstore_point_of_service	15.0	15.0.x
oracle / retail_xstore_point_of_service	7.1	7.1.x
oracle / flexcube_core_banking	5.2.0	5.2.0.x
oracle / retail_xstore_point_of_service	16.0	16.0.x
oracle / retail_xstore_point_of_service	17.0	17.0.x
oracle / rest_data_services	12.2.0.1	12.2.0.1.x
oracle / rest_data_services	12.1.0.2	12.1.0.2.x
oracle / rest_data_services	11.2.0.4	11.2.0.4.x
oracle / rest_data_services	18c	18c.x
oracle / flexcube_core_banking	11.5.0	11.7.0.x
org.eclipse.jetty / jetty-server	-	9.2.27.v20190403
org.eclipse.jetty / jetty-server	9.3.0	9.3.26.v20190403
org.eclipse.jetty / jetty-server	9.4.0	9.4.16.v20190411

Vulnerability Database

289,599

CVE-2019-10241