In Eclipse Jetty version 9.2.27, 9.3.26, and 9.4.16, the server running on Windows is vulnerable to exposure of the fully qualified Base Resource directory name on Windows to a remote client when it is configured for showing a Listing of directory contents. This information reveal is restricted to only the content in the configured base resource directories. Fixed in 9.2.28, 9.3.27, 9.4.17 https://bugs.eclipse.org/bugs/show_bug.cgi?id=546576 https://github.com/eclipse/jetty.project/issues/3549
This CVE only impacts users using Eclipse Jetty on Windows.
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-10246