https://bugzilla.redhat.com/show_bug.cgi?id=1705993
Bug ID: 1705993
Summary: CVE-2019-10247 jetty: error path information
disclosure
Product: Security Response
Hardware: All
OS: Linux
Status: NEW
Whiteboard: impact=moderate,public=20190418,reported=20190423,sour
ce=cve,cvss3=5.3/CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/
I:N/A:N,cwe=CWE-200,fedora-all/jetty=affected,fuse-6/j
etty=new,fuse-7/jetty=new,rhn_satellite_5/jetty=new,rh
scl-3/rh-java-common-jetty=new,rhel-6/jetty-eclipse=ne
w,rhel-7/jetty=new
Component: vulnerability
Keywords: Security
Severity: medium
Priority: medium
Assignee: security-response-team(a)redhat.com
Reporter: darunesh(a)redhat.com
CC: aileenc(a)redhat.com, bkearney(a)redhat.com,
chazlett(a)redhat.com, decathorpe(a)gmail.com,
eclipse-sig(a)lists.fedoraproject.org,
ggainey(a)redhat.com, hhorak(a)redhat.com,
janstey(a)redhat.com, java-maint(a)redhat.com,
java-sig-commits(a)lists.fedoraproject.org,
jjohnstn(a)redhat.com, jochrist(a)redhat.com,
jorton(a)redhat.com, krzysztof.daniel(a)gmail.com,
mizdebsk(a)redhat.com, sochotni(a)redhat.com,
stewardship-sig(a)lists.fedoraproject.org,
tlestach(a)redhat.com
Target Milestone: ---
Classification: Other
In Eclipse Jetty version 7.x, 8.x, 9.2.27 and older, 9.3.26 and older, and
9.4.16 and older, the server running on any OS and Jetty version combination
will reveal the configured fully qualified directory base resource location on
the output of the 404 error for not finding a Context that matches the
requested path. The default server behavior on jetty-distribution and
jetty-home will include at the end of the Handler tree a DefaultHandler, which
is responsible for reporting this 404 error, it presents the various configured
contexts as HTML for users to click through to. This produced HTML includes
output that contains the configured fully qualified directory base resource
location for each context.
Reference:
https://bugs.eclipse.org/bugs/show_bug.cgi?id=546577
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=1705924
Bug ID: 1705924
Summary: CVE-2019-10241 jetty: using specially formatted URL
against DefaultServlet or ResourceHandler leads to XSS
conditions
Product: Security Response
Hardware: All
OS: Linux
Status: NEW
Whiteboard: impact=moderate,public=20190422,reported=20190423,sour
ce=cve,cvss3=4.7/CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/
I:L/A:N,cwe=CWE-79,fedora-all/jetty=affected,rhel-6/je
tty-eclipse=new,rhel-7/jetty=new,fuse-6/jetty=new,fuse
-7/jetty=new,rhn_satellite_5/jetty=new,rhscl-3/rh-java
-common-jetty=new
Component: vulnerability
Keywords: Security
Severity: medium
Priority: medium
Assignee: security-response-team(a)redhat.com
Reporter: mrehak(a)redhat.com
CC: aileenc(a)redhat.com, bkearney(a)redhat.com,
chazlett(a)redhat.com, decathorpe(a)gmail.com,
eclipse-sig(a)lists.fedoraproject.org,
ggainey(a)redhat.com, hhorak(a)redhat.com,
janstey(a)redhat.com, java-maint(a)redhat.com,
java-sig-commits(a)lists.fedoraproject.org,
jjohnstn(a)redhat.com, jochrist(a)redhat.com,
jorton(a)redhat.com, krzysztof.daniel(a)gmail.com,
mizdebsk(a)redhat.com, sochotni(a)redhat.com,
stewardship-sig(a)lists.fedoraproject.org,
tlestach(a)redhat.com
Target Milestone: ---
Classification: Other
In Eclipse Jetty version 9.2.26 and older, 9.3.25 and older, and 9.4.15 and
older, the server is vulnerable to XSS conditions if a remote client USES a
specially formatted URL against the DefaultServlet or ResourceHandler that is
configured for showing a Listing of directory contents.
External References:
https://bugs.eclipse.org/bugs/show_bug.cgi?id=546121
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=1806398
errata-xmlrpc <errata-xmlrpc(a)redhat.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Link ID| |Red Hat Product Errata
| |RHBA-2020:1441
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=1806398
errata-xmlrpc <errata-xmlrpc(a)redhat.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Link ID| |Red Hat Product Errata
| |RHBA-2020:1440
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=1806398
errata-xmlrpc <errata-xmlrpc(a)redhat.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Link ID| |Red Hat Product Errata
| |RHBA-2020:1439
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=1269629
Hanns-Joachim Uhl <hannsj_uhl(a)de.ibm.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |CLOSED
Resolution|--- |INSUFFICIENT_DATA
Last Closed| |2020-04-14 11:05:13
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=1269629
--- Comment #4 from IBM Bug Proxy <bugproxy(a)us.ibm.com> ---
------- Comment From tstaudt(a)de.ibm.com 2020-04-14 03:54 EDT-------
With no activity in this bug for years, I'm now closing this on the IBM side.
If the problem still needs to be addressed, please re-open or preferably open a
new bug.
Thanks.
--
You are receiving this mail because:
You are on the CC list for the bug.