Vulnerability Name: CVE-2019-10246 (CCN-160611) Assigned: 2019-04-22 Published: 2019-04-22 Updated: 2021-06-14 Summary: In Eclipse Jetty version 9.2.27, 9.3.26, and 9.4.16, the server running on Windows is vulnerable to exposure of the fully qualified Base Resource directory name on Windows to a remote client when it is configured for showing a Listing of directory contents. This information reveal is restricted to only the content in the configured base resource directories. CVSS v3 Severity: 5.3 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N 4.6 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C Exploitability Metrics: Attack Vector (AV): NetworkAttack Complexity (AC): LowPrivileges Required (PR): NoneUser Interaction (UI): NoneScope: Scope (S): UnchangedImpact Metrics: Confidentiality (C): LowIntegrity (I): NoneAvailibility (A): None
5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N 4.6 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C Exploitability Metrics: Attack Vector (AV): NetworkAttack Complexity (AC): LowPrivileges Required (PR): NoneUser Interaction (UI): NoneScope: Scope (S): UnchangedImpact Metrics: Confidentiality (C): LowIntegrity (I): NoneAvailibility (A): None
CVSS v2 Severity: 5.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N Exploitability Metrics: Access Vector (AV): NetworkAccess Complexity (AC): LowAuthentication (Au): NoneImpact Metrics: Confidentiality (C): PartialIntegrity (I): NoneAvailibility (A): None
5.0 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N Exploitability Metrics: Access Vector (AV): NetworkAccess Complexity (AC): LowAthentication (Au): NoneImpact Metrics: Confidentiality (C): PartialIntegrity (I): NoneAvailibility (A): None
Vulnerability Type: CWE-200 Vulnerability Consequences: Obtain Information References: Source: MITRECVE-2019-10246 Jetty CVE Request: Information Reveal - Windows Directory Listings https://bugs.eclipse.org/bugs/show_bug.cgi?id=546576 eclipse-cve201910246-info-disc(160611) Directory Listing on Windows reveals Resource Base path #3549 [nifi-commits] 20191113 svn commit: r1869773 - /nifi/site/trunk/security.html [nifi-commits] 20200123 svn commit: r1873083 - /nifi/site/trunk/security.html https://security.netapp.com/advisory/ntap-20190509-0003/ Multiple vulnerabilities in Jetty affect Netcool Agile Service Manager (CVE-2019-10247, CVE-2019-10246) Java Vulnerability Affects IBM Sterling Connect:Direct Browser User Interface (CVE-2019-10241, CVE-2019-10246 & CVE-2019-10247) Java Vulnerability Affects IBM Connect:Direct Web Services (CVE-2019-10246, CVE-2019-10247, CVE-2019-10241 & CVE-2018-12545) Multiple vulnerabilities in Eclipse Jetty affect Apache Solr shipped with IBM Operations Analytics - Log Analysis IBM Cognos Analytics has addressed multiple vulnerabilities N/A https://www.oracle.com/security-alerts/cpuApr2021.html https://www.oracle.com/security-alerts/cpujan2020.html https://www.oracle.com/security-alerts/cpujan2021.html https://www.oracle.com/security-alerts/cpujul2020.html https://www.oracle.com/security-alerts/cpuoct2020.html https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html CVE-2019-10246 Vulnerable Configuration: Configuration 1 :cpe:/a:eclipse:jetty:9.4.16:20190411:*:*:*:*:*:* OR cpe:/a:eclipse:jetty:9.2.27:20190403:*:*:*:*:*:* OR cpe:/a:eclipse:jetty:9.3.26:20190403:*:*:*:*:*:* AND cpe:/o:microsoft:windows:-:*:*:*:*:*:*:* Configuration 2 :cpe:/a:netapp:oncommand_system_manager:*:*:*:*:*:*:*:* (Version >= 3.0 and <= 3.1.3)OR cpe:/a:netapp:snap_creator_framework:-:*:*:*:*:*:*:* OR cpe:/a:netapp:snapcenter:-:*:*:*:*:*:*:* OR cpe:/a:netapp:snapmanager:-:-:*:*:*:oracle:*:* OR cpe:/a:netapp:snapmanager:-:-:*:*:*:sap:*:* OR cpe:/a:netapp:storage_replication_adapter_for_clustered_data_ontap:9.6:*:*:*:*:*:*:* OR cpe:/a:netapp:storage_replication_adapter_for_clustered_data_ontap:*:*:*:*:*:vmware_vsphere:*:* (Version >= 9.6 OR cpe:/a:netapp:storage_services_connector:-:*:*:*:*:*:*:* OR cpe:/a:netapp:vasa_provider_for_clustered_data_ontap:-:*:*:*:*:*:*:* OR cpe:/a:netapp:vasa_provider_for_clustered_data_ontap:*:*:*:*:*:*:*:* (Version >= 9.6 OR cpe:/a:netapp:virtual_storage_console:9.6:*:*:*:*:*:*:* OR cpe:/a:netapp:virtual_storage_console:*:*:*:*:*:vmware_vsphere:*:* (Version >= 9.6 OR cpe:/o:netapp:element:-:*:*:*:*:vcenter_server:*:* Configuration 3 :cpe:/a:oracle:autovue:21.0.2:*:*:*:*:*:*:* OR cpe:/a:oracle:communications_analytics:12.1.1:*:*:*:*:*:*:* OR cpe:/a:oracle:communications_element_manager:8.0.0:*:*:*:*:*:*:* OR cpe:/a:oracle:communications_element_manager:8.1.0:*:*:*:*:*:*:* OR cpe:/a:oracle:communications_element_manager:8.1.1:*:*:*:*:*:*:* OR cpe:/a:oracle:communications_element_manager:8.2.0:*:*:*:*:*:*:* OR cpe:/a:oracle:communications_services_gatekeeper:6.0:*:*:*:*:*:*:* OR cpe:/a:oracle:communications_services_gatekeeper:6.1:*:*:*:*:*:*:* OR cpe:/a:oracle:communications_services_gatekeeper:7.0:*:*:*:*:*:*:* OR cpe:/a:oracle:communications_session_report_manager:8.0.0:*:*:*:*:*:*:* OR cpe:/a:oracle:communications_session_report_manager:8.1.0:*:*:*:*:*:*:* OR cpe:/a:oracle:communications_session_report_manager:8.1.1:*:*:*:*:*:*:* OR cpe:/a:oracle:retail_xstore_point_of_service:15.0:*:*:*:*:*:*:* OR cpe:/a:oracle:flexcube_private_banking:12.1.0:*:*:*:*:*:*:* OR cpe:/a:oracle:retail_xstore_point_of_service:7.1:*:*:*:*:*:*:* OR cpe:/a:oracle:flexcube_private_banking:12.0.0:*:*:*:*:*:*:* OR cpe:/a:oracle:flexcube_core_banking:5.2.0:*:*:*:*:*:*:* OR cpe:/a:oracle:hospitality_guest_access:4.2.0:*:*:*:*:*:*:* OR cpe:/a:oracle:hospitality_guest_access:4.2.1:*:*:*:*:*:*:* OR cpe:/a:oracle:retail_xstore_point_of_service:16.0:*:*:*:*:*:*:* OR cpe:/a:oracle:endeca_information_discovery_integrator:3.2.0:*:*:*:*:*:*:* OR cpe:/a:oracle:enterprise_manager_base_platform:13.3:*:*:*:*:*:*:* OR cpe:/a:oracle:enterprise_manager_base_platform:13.2:*:*:*:*:*:*:* OR cpe:/a:oracle:data_integrator:12.2.1.3.0:*:*:*:*:*:*:* OR cpe:/a:oracle:retail_xstore_point_of_service:17.0:*:*:*:*:*:*:* OR cpe:/a:oracle:rest_data_services:12.2.0.1:*:*:*:-:*:*:* OR cpe:/a:oracle:rest_data_services:12.1.0.2:*:*:*:-:*:*:* OR cpe:/a:oracle:rest_data_services:11.2.0.4:*:*:*:-:*:*:* OR cpe:/a:oracle:rest_data_services:18c:*:*:*:-:*:*:* OR cpe:/a:oracle:flexcube_core_banking:*:*:*:*:*:*:*:* (Version >= 11.5.0 and <= 11.7.0) OR cpe:/a:oracle:data_integrator:12.2.1.4.0:*:*:*:*:*:*:* OR cpe:/a:oracle:communications_session_report_manager:8.2.0:*:*:*:*:*:*:* OR cpe:/a:oracle:communications_session_route_manager:8.1.1:*:*:*:*:*:*:* OR cpe:/a:oracle:communications_session_route_manager:8.2.0:*:*:*:*:*:*:* OR cpe:/a:oracle:communications_session_route_manager:8.0.0:*:*:*:*:*:*:* OR cpe:/a:oracle:communications_session_route_manager:8.1.0:*:*:*:*:*:*:* OR cpe:/a:oracle:unified_directory:12.2.1.3.0:*:*:*:*:*:*:* OR cpe:/a:oracle:unified_directory:12.2.1.4.0:*:*:*:*:*:*:* Configuration CCN 1 :cpe:/a:eclipse:jetty:9.2.27:*:*:*:*:*:*:* OR cpe:/a:eclipse:jetty:9.3.26:20190403:*:*:*:*:*:* OR cpe:/a:eclipse:jetty:9.4.16:20190411:*:*:*:*:*:* AND cpe:/a:ibm:cognos_analytics:11.0:*:*:*:*:*:*:* OR cpe:/a:ibm:netcool_agile_service_manager:1.1.3:*:*:*:*:*:*:* OR cpe:/a:ibm:netcool_agile_service_manager:1.1.4:*:*:*:*:*:*:* OR cpe:/a:ibm:cognos_analytics:11.1:*:*:*:*:*:*:* OR cpe:/a:ibm:log_analysis:1.3.1:*:*:*:*:*:*:* OR cpe:/a:ibm:log_analysis:1.3.2:*:*:*:*:*:*:* OR cpe:/a:ibm:log_analysis:1.3.3:*:*:*:*:*:*:* OR cpe:/a:ibm:log_analysis:1.3.4:*:*:*:*:*:*:* OR cpe:/a:ibm:log_analysis:1.3.5:*:*:*:*:*:*:* OR cpe:/a:ibm:log_analysis:1.3.6:*:*:*:*:*:*:* Oval Definitions BACK
eclipse jetty 9.4.16 20190411
eclipse jetty 9.2.27 20190403
eclipse jetty 9.3.26 20190403
microsoft windows -
netapp oncommand system manager *
netapp snap creator framework -
netapp snapcenter -
netapp snapmanager - -
netapp snapmanager - -
netapp storage replication adapter for clustered data ontap 9.6
netapp storage replication adapter for clustered data ontap *
netapp storage services connector -
netapp vasa provider for clustered data ontap -
netapp vasa provider for clustered data ontap *
netapp virtual storage console 9.6
netapp virtual storage console *
netapp element -
oracle autovue 21.0.2
oracle communications analytics 12.1.1
oracle communications element manager 8.0.0
oracle communications element manager 8.1.0
oracle communications element manager 8.1.1
oracle communications element manager 8.2.0
oracle communications services gatekeeper 6.0
oracle communications services gatekeeper 6.1
oracle communications services gatekeeper 7.0
oracle communications session report manager 8.0.0
oracle communications session report manager 8.1.0
oracle communications session report manager 8.1.1
oracle retail xstore point of service 15.0
oracle flexcube private banking 12.1.0
oracle retail xstore point of service 7.1
oracle flexcube private banking 12.0.0
oracle flexcube core banking 5.2.0
oracle hospitality guest access 4.2.0
oracle hospitality guest access 4.2.1
oracle retail xstore point of service 16.0
oracle endeca information discovery integrator 3.2.0
oracle enterprise manager base platform 13.3
oracle enterprise manager base platform 13.2
oracle data integrator 12.2.1.3.0
oracle retail xstore point of service 17.0
oracle rest data services 12.2.0.1
oracle rest data services 12.1.0.2
oracle rest data services 11.2.0.4
oracle rest data services 18c
oracle flexcube core banking *
oracle data integrator 12.2.1.4.0
oracle communications session report manager 8.2.0
oracle communications session route manager 8.1.1
oracle communications session route manager 8.2.0
oracle communications session route manager 8.0.0
oracle communications session route manager 8.1.0
oracle unified directory 12.2.1.3.0
oracle unified directory 12.2.1.4.0
eclipse jetty 9.2.27
eclipse jetty 9.3.26 20190403
eclipse jetty 9.4.16 20190411
ibm cognos analytics 11.0
ibm netcool agile service manager 1.1.3
ibm netcool agile service manager 1.1.4
ibm cognos analytics 11.1
ibm log analysis 1.3.1
ibm log analysis 1.3.2
ibm log analysis 1.3.3
ibm log analysis 1.3.4
ibm log analysis 1.3.5
ibm log analysis 1.3.6
Denotes that component is vulnerable