CVE-2019-10241: XSS

Published Apr 22, 2019
·
Updated

Eclipse Jetty is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the DefaultServlet and ResourceHandler. A remote attacker could exploit this vulnerability using a specially-crafted URL to execute script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials.

Other sources

In Eclipse Jetty version 9.2.26 and older, 9.3.25 and older, and 9.4.15 and older, the server is vulnerable to XSS conditions if a remote client USES a specially formatted URL against the DefaultServlet or ResourceHandler that is configured for showing a Listing of directory contents.

Affected Software

145 affected componentsFixes available
debian/jetty9
9.4.16-0+deb10u19.4.50-4+deb10u19.4.39-3+deb11u29.4.50-4+deb11u19.4.50-4+deb12u29.4.53-1
redhat/jetty<9.2.27
9.2.27
redhat/jetty<9.3.26
9.3.26
redhat/jetty<9.4.16
9.4.16
Eclipse Jetty=9.2.0-20140523
Eclipse Jetty=9.2.0-20140526
Eclipse Jetty=9.2.0-maintenance_0
Eclipse Jetty=9.2.0-maintenance_1
Eclipse Jetty=9.2.0-rc0
Eclipse Jetty=9.2.1-20140609
Eclipse Jetty=9.2.2-20140723
Eclipse Jetty=9.2.3-20140905
Eclipse Jetty=9.2.4-20141103
Eclipse Jetty=9.2.5-20141112
Eclipse Jetty=9.2.6-20141203
Eclipse Jetty=9.2.6-20141205
Eclipse Jetty=9.2.7-20150116
Eclipse Jetty=9.2.8-20150217
Eclipse Jetty=9.2.9-20150224
Eclipse Jetty=9.2.10-20150310
Eclipse Jetty=9.2.11-20150528
Eclipse Jetty=9.2.11-20150529
Eclipse Jetty=9.2.11-maintenance_0
Eclipse Jetty=9.2.12-20150709
Eclipse Jetty=9.2.12-maintenance_0
Eclipse Jetty=9.2.13-20150730
Eclipse Jetty=9.2.14-20151106
Eclipse Jetty=9.2.15-20160210
Eclipse Jetty=9.2.16-20160407
Eclipse Jetty=9.2.16-20160414
Eclipse Jetty=9.2.17-20160517
Eclipse Jetty=9.2.18-20160721
Eclipse Jetty=9.2.19-20160908
Eclipse Jetty=9.2.20-20161216
Eclipse Jetty=9.2.21-20170120
Eclipse Jetty=9.2.22-20170606
Eclipse Jetty=9.2.23-20171218
Eclipse Jetty=9.2.24-20180105
Eclipse Jetty=9.2.25-20180606
Eclipse Jetty=9.2.26-20180806
Eclipse Jetty=9.3.0-20150601
Eclipse Jetty=9.3.0-20150608
Eclipse Jetty=9.3.0-20150612
Eclipse Jetty=9.3.0-maintenance0
Eclipse Jetty=9.3.0-maintenance1
Eclipse Jetty=9.3.0-maintenance2
Eclipse Jetty=9.3.0-rc0
Eclipse Jetty=9.3.0-rc1
Eclipse Jetty=9.3.1-20150714
Eclipse Jetty=9.3.2-20150730
Eclipse Jetty=9.3.3-20150825
Eclipse Jetty=9.3.3-20150827
Eclipse Jetty=9.3.4-20151005
Eclipse Jetty=9.3.4-20151007
Eclipse Jetty=9.3.4-rc0
Eclipse Jetty=9.3.4-rc1
Eclipse Jetty=9.3.5-20151012
Eclipse Jetty=9.3.6-20151106
Eclipse Jetty=9.3.7-20160115
Eclipse Jetty=9.3.7-rc0
Eclipse Jetty=9.3.7-rc1
Eclipse Jetty=9.3.8-20160311
Eclipse Jetty=9.3.8-20160314
Eclipse Jetty=9.3.8-rc0
Eclipse Jetty=9.3.9-20160517
Eclipse Jetty=9.3.9-maintenance_0
Eclipse Jetty=9.3.9-maintenance_1
Eclipse Jetty=9.3.10-20160621
Eclipse Jetty=9.3.10-maintenance_0
Eclipse Jetty=9.3.11-20160721
Eclipse Jetty=9.3.11-maintenance_0
Eclipse Jetty=9.3.12-20160915
Eclipse Jetty=9.3.13-20161014
Eclipse Jetty=9.3.13-maintenance_0
Eclipse Jetty=9.3.14-20161028
Eclipse Jetty=9.3.15-20161220
Eclipse Jetty=9.3.16-20170119
Eclipse Jetty=9.3.16-20170120
Eclipse Jetty=9.3.17-20170317
Eclipse Jetty=9.3.17-rc0
Eclipse Jetty=9.3.18-20170406
Eclipse Jetty=9.3.19-20170502
Eclipse Jetty=9.3.20-20170531
Eclipse Jetty=9.3.21-20170918
Eclipse Jetty=9.3.21-maintenance_0
Eclipse Jetty=9.3.21-rc0
Eclipse Jetty=9.3.22-20171030
Eclipse Jetty=9.3.23-20180228
Eclipse Jetty=9.3.24-20180605
Eclipse Jetty=9.3.25-20180904
Eclipse Jetty=9.4.0-20161207
Eclipse Jetty=9.4.0-20161208
Eclipse Jetty=9.4.0-20180619
Eclipse Jetty=9.4.0-maintenance_0
Eclipse Jetty=9.4.0-maintenance_1
Eclipse Jetty=9.4.0-rc0
Eclipse Jetty=9.4.0-rc1
Eclipse Jetty=9.4.0-rc2
Eclipse Jetty=9.4.0-rc3
Eclipse Jetty=9.4.1-20170120
Eclipse Jetty=9.4.1-20180619
Eclipse Jetty=9.4.2-20170220
Eclipse Jetty=9.4.2-20180619
Eclipse Jetty=9.4.3-20170317
Eclipse Jetty=9.4.3-20180619
Eclipse Jetty=9.4.4-20170410
Eclipse Jetty=9.4.4-20170414
Eclipse Jetty=9.4.4-20180619
Eclipse Jetty=9.4.5-20170502
Eclipse Jetty=9.4.5-20180619
Eclipse Jetty=9.4.6-20170531
Eclipse Jetty=9.4.6-20180619
Eclipse Jetty=9.4.7-20170914
Eclipse Jetty=9.4.7-20180619
Eclipse Jetty=9.4.7-rc0
Eclipse Jetty=9.4.8-20171121
Eclipse Jetty=9.4.8-20180619
Eclipse Jetty=9.4.9-20180320
Eclipse Jetty=9.4.10-20180503
Eclipse Jetty=9.4.10-rc0
Eclipse Jetty=9.4.10-rc1
Eclipse Jetty=9.4.11-20180605
Eclipse Jetty=9.4.12-20180830
Eclipse Jetty=9.4.12-rc0
Eclipse Jetty=9.4.12-rc1
Eclipse Jetty=9.4.12-rc2
Eclipse Jetty=9.4.13-20181111
Eclipse Jetty=9.4.14-20181114
Eclipse Jetty=9.4.15-20190215
Debian Debian Linux=9.0
Debian Debian Linux=10.0
Apache ActiveMQ=5.15.9
Apache Drill=1.16.0
Oracle FLEXCUBE Core Banking>=11.5.0<=11.7.0
Oracle FLEXCUBE Core Banking=5.2.0
Oracle REST Data Services=11.2.0.4
Oracle REST Data Services=12.1.0.2
Oracle REST Data Services=12.2.0.1
Oracle REST Data Services=18c
Oracle Retail Xstore Point of Service=7.1
Oracle Retail Xstore Point of Service=15.0
Oracle Retail Xstore Point of Service=16.0
Oracle Retail Xstore Point of Service=17.0
IBM Cognos Analytics<=12.0.0-12.0.3
IBM Cognos Analytics<=11.2.0-11.2.4 FP3

Remediation

Patch Available

https://www.oracle.com/security-alerts/cpuoct2020.html

Patch Available

https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html

Event History

Apr 22, 2019
CVE Published
12:00 AM
Data Sourced
12:00 AM
RemedyDescriptionSeverityWeaknessAffected Software
CVE Published
via MITRE·08:14 PM
Data Sourced
via MITRE·08:14 PM
DescriptionWeakness
May 3, 2019
Data Sourced
via Red Hat·08:42 AM
DescriptionSeverityAffected Software

Parent advisories

This vulnerability appears in the following advisories.

Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

Frequently Asked Questions

1

What is the vulnerability ID for this Jetty vulnerability?

The vulnerability ID for this Jetty vulnerability is CVE-2019-10241.

2

What is the severity of CVE-2019-10241?

The severity of CVE-2019-10241 is medium.

3

How does the vulnerability in CVE-2019-10241 manifest?

The vulnerability in CVE-2019-10241 manifests as XSS (cross-site scripting) conditions when a remote client uses a specially formatted URL against the DefaultServlet or ResourceHandler that is configured for showing a Listing of directory contents.

4

Which versions of Eclipse Jetty are affected by CVE-2019-10241?

Eclipse Jetty version 9.2.26 and older, 9.3.25 and older, and 9.4.15 and older are affected by CVE-2019-10241.

5

How can I fix CVE-2019-10241?

To fix CVE-2019-10241, update to Jetty version 9.2.27 (or later), 9.3.26 (or later), or 9.4.16 (or later), depending on the version you are using.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2026 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203