Bug 2187703 (CVE-2019-10246) - CVE-2019-10246 jetty: Directory Listing on Windows reveals Resource Base path
Summary: CVE-2019-10246 jetty: Directory Listing on Windows reveals Resource Base path
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2019-10246
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 2180276
TreeView+ depends on / blocked
 
Reported: 2023-04-18 13:07 UTC by TEJ RATHI
Modified: 2023-04-18 18:05 UTC (History)
1 user (show)

Fixed In Version: jetty 9.2.28, jetty 9.3.27, jetty 9.4.17
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Eclipse Jetty. This issue may lead to exposure of the fully qualified Base Resource directory name on Windows to a remote client when configured to show a listing of directory contents. By sending a specially-crafted request, a remote attacker could obtain sensitive information.
Clone Of:
Environment:
Last Closed: 2023-04-18 18:05:06 UTC
Embargoed:

Attachments (Terms of Use)

Description TEJ RATHI 2023-04-18 13:07:23 UTC 
In Eclipse Jetty version 9.2.27, 9.3.26, and 9.4.16, the server running on Windows is vulnerable to exposure of the fully qualified Base Resource directory name on Windows to a remote client when it is configured for showing a Listing of directory contents. This information reveal is restricted to only the content in the configured base resource directories.

Fixed in 9.2.28, 9.3.27, 9.4.17

https://bugs.eclipse.org/bugs/show_bug.cgi?id=546576
https://github.com/eclipse/jetty.project/issues/3549
Comment 1 TEJ RATHI 2023-04-18 13:11:31 UTC 
This CVE only impacts users using Eclipse Jetty on Windows.
Comment 2 Product Security DevOps Team 2023-04-18 18:05:04 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-10246
Note You need to log in before you can comment on or make changes to this bug.