CVE-2019-10247: Infoleak

Published Apr 18, 2019
·
Updated

Eclipse Jetty could allow a remote attacker to obtain sensitive information, caused by a flaw in the DefaultHandler. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to obtain sensitive information.

Other sources

In Eclipse Jetty version 7.x, 8.x, 9.2.27 and older, 9.3.26 and older, and 9.4.16 and older, the server running on any OS and Jetty version combination will reveal the configured fully qualified directory base resource location on the output of the 404 error for not finding a Context that matches the requested path. The default server behavior on jetty-distribution and jetty-home will include at the end of the Handler tree a DefaultHandler, which is responsible for reporting this 404 error, it presents the various configured contexts as HTML for users to click through to. This produced HTML includes output that contains the configured fully qualified directory base resource location for each context.

Affected Software

340 affected componentsFixes available
debian/jetty9
9.4.16-0+deb10u19.4.50-4+deb10u19.4.39-3+deb11u29.4.50-4+deb11u19.4.50-4+deb12u29.4.53-1
redhat/jetty<9.2.28
9.2.28
redhat/jetty<9.3.27
9.3.27
redhat/jetty<9.4.16
9.4.16
Eclipse Jetty=7.0.0-20091005
Eclipse Jetty=7.0.0-maintenance_0
Eclipse Jetty=7.0.0-maintenance_1
Eclipse Jetty=7.0.0-maintenance_2
Eclipse Jetty=7.0.0-maintenance_3
Eclipse Jetty=7.0.0-maintenance_4
Eclipse Jetty=7.0.0-rc0
Eclipse Jetty=7.0.0-rc1
Eclipse Jetty=7.0.0-rc3
Eclipse Jetty=7.0.0-rc4
Eclipse Jetty=7.0.0-rc5
Eclipse Jetty=7.0.0-rc6
Eclipse Jetty=7.0.1-20091125
Eclipse Jetty=7.0.2-20100331
Eclipse Jetty=7.0.2-rc0
Eclipse Jetty=7.1.0-20100505
Eclipse Jetty=7.1.0-rc0
Eclipse Jetty=7.1.0-rc1
Eclipse Jetty=7.1.1-20100517
Eclipse Jetty=7.1.2-20100523
Eclipse Jetty=7.1.3-20100526
Eclipse Jetty=7.1.4-20100610
Eclipse Jetty=7.1.5-20100705
Eclipse Jetty=7.1.6-20100715
Eclipse Jetty=7.2.0-20101020
Eclipse Jetty=7.2.0-rc0
Eclipse Jetty=7.2.1-20101111
Eclipse Jetty=7.2.2-20101205
Eclipse Jetty=7.3.0-20110203
Eclipse Jetty=7.3.1-20110307
Eclipse Jetty=7.4.0-20110414
Eclipse Jetty=7.4.0-rc0
Eclipse Jetty=7.4.1-20110513
Eclipse Jetty=7.4.2-20110526
Eclipse Jetty=7.4.3-20110630
Eclipse Jetty=7.4.3-20110701
Eclipse Jetty=7.4.4-20110707
Eclipse Jetty=7.4.5-20110725
Eclipse Jetty=7.5.0-20110901
Eclipse Jetty=7.5.0-rc0
Eclipse Jetty=7.5.0-rc1
Eclipse Jetty=7.5.0-rc2
Eclipse Jetty=7.5.1-20110908
Eclipse Jetty=7.5.2-20111006
Eclipse Jetty=7.5.3-20111011
Eclipse Jetty=7.5.4-20111024
Eclipse Jetty=7.6.0-20120125
Eclipse Jetty=7.6.0-20120127
Eclipse Jetty=7.6.0-rc0
Eclipse Jetty=7.6.0-rc1
Eclipse Jetty=7.6.0-rc2
Eclipse Jetty=7.6.0-rc3
Eclipse Jetty=7.6.0-rc4
Eclipse Jetty=7.6.0-rc5
Eclipse Jetty=7.6.1-20120215
Eclipse Jetty=7.6.2-20120302
Eclipse Jetty=7.6.2-20120308
Eclipse Jetty=7.6.3-20120413
Eclipse Jetty=7.6.3-20120416
Eclipse Jetty=7.6.4-20120522
Eclipse Jetty=7.6.4-20120524
Eclipse Jetty=7.6.5-20120713
Eclipse Jetty=7.6.5-20120716
Eclipse Jetty=7.6.6-20120903
Eclipse Jetty=7.6.7-20120910
Eclipse Jetty=7.6.8-20121106
Eclipse Jetty=7.6.9-20130131
Eclipse Jetty=7.6.10-20130312
Eclipse Jetty=7.6.11-20130520
Eclipse Jetty=7.6.11-20130725
Eclipse Jetty=7.6.12-20130726
Eclipse Jetty=7.6.13-20130910
Eclipse Jetty=7.6.13-20130916
Eclipse Jetty=7.6.14-20131031
Eclipse Jetty=7.6.15-20140411
Eclipse Jetty=7.6.16-20140903
Eclipse Jetty=7.6.17-20150415
Eclipse Jetty=7.6.18-20150929
Eclipse Jetty=7.6.19-20160209
Eclipse Jetty=7.6.20-20160902
Eclipse Jetty=7.6.21-20160908
Eclipse Jetty=8.0.0-20110901
Eclipse Jetty=8.0.0-maintenance_0
Eclipse Jetty=8.0.0-maintenance_1
Eclipse Jetty=8.0.0-maintenance_2
Eclipse Jetty=8.0.0-maintenance_3
Eclipse Jetty=8.0.0-rc0
Eclipse Jetty=8.0.1-20110908
Eclipse Jetty=8.0.2-20111006
Eclipse Jetty=8.0.3-20111011
Eclipse Jetty=8.0.4-20111024
Eclipse Jetty=8.1.0-20120127
Eclipse Jetty=8.1.0-rc0
Eclipse Jetty=8.1.0-rc1
Eclipse Jetty=8.1.0-rc2
Eclipse Jetty=8.1.0-rc4
Eclipse Jetty=8.1.0-rc5
Eclipse Jetty=8.1.1-20120215
Eclipse Jetty=8.1.2-20120302
Eclipse Jetty=8.1.2-20120308
Eclipse Jetty=8.1.3-20120416
Eclipse Jetty=8.1.4-20120524
Eclipse Jetty=8.1.5-20120713
Eclipse Jetty=8.1.5-20120716
Eclipse Jetty=8.1.6-20120903
Eclipse Jetty=8.1.7-20120910
Eclipse Jetty=8.1.8-20121106
Eclipse Jetty=8.1.9-20130131
Eclipse Jetty=8.1.10-20130312
Eclipse Jetty=8.1.11-20130520
Eclipse Jetty=8.1.12-20130725
Eclipse Jetty=8.1.12-20130726
Eclipse Jetty=8.1.13-20130910
Eclipse Jetty=8.1.13-20130916
Eclipse Jetty=8.1.14-20131031
Eclipse Jetty=8.1.15-20140411
Eclipse Jetty=8.1.16-20140903
Eclipse Jetty=8.1.17-20150415
Eclipse Jetty=8.1.18-20150929
Eclipse Jetty=8.1.19-20160209
Eclipse Jetty=8.1.20-20160902
Eclipse Jetty=8.1.21-20160908
Eclipse Jetty=8.1.22-20160922
Eclipse Jetty=8.2.0-20160908
Eclipse Jetty=9.0.0-20130308
Eclipse Jetty=9.0.0-m5
Eclipse Jetty=9.0.0-maintenance_0
Eclipse Jetty=9.0.0-maintenance_1
Eclipse Jetty=9.0.0-maintenance_2
Eclipse Jetty=9.0.0-maintenance_3
Eclipse Jetty=9.0.0-maintenance_4
Eclipse Jetty=9.0.0-maintenance_5
Eclipse Jetty=9.0.0-rc0
Eclipse Jetty=9.0.0-rc1
Eclipse Jetty=9.0.0-rc2
Eclipse Jetty=9.0.0-rc3
Eclipse Jetty=9.0.1-20130408
Eclipse Jetty=9.0.2-20130417
Eclipse Jetty=9.0.2-20140415
Eclipse Jetty=9.0.3-20130506
Eclipse Jetty=9.0.4-20130621
Eclipse Jetty=9.0.4-20130625
Eclipse Jetty=9.0.5-20130813
Eclipse Jetty=9.0.5-20130815
Eclipse Jetty=9.0.6-20130919
Eclipse Jetty=9.0.6-20130930
Eclipse Jetty=9.0.7-20131031
Eclipse Jetty=9.0.7-20131107
Eclipse Jetty=9.1.0-20131115
Eclipse Jetty=9.1.0-maintenance_0
Eclipse Jetty=9.1.0-rc0
Eclipse Jetty=9.1.0-rc1
Eclipse Jetty=9.1.0-rc2
Eclipse Jetty=9.1.1-20140108
Eclipse Jetty=9.1.2-20140210
Eclipse Jetty=9.1.3-20140225
Eclipse Jetty=9.1.4-20140401
Eclipse Jetty=9.1.5-20140505
Eclipse Jetty=9.1.6-20151106
Eclipse Jetty=9.1.6-20160112
Eclipse Jetty=9.2.0-20140523
Eclipse Jetty=9.2.0-20140526
Eclipse Jetty=9.2.0-maintenance_0
Eclipse Jetty=9.2.0-maintenance_1
Eclipse Jetty=9.2.0-rc0
Eclipse Jetty=9.2.1-20140609
Eclipse Jetty=9.2.2-20140723
Eclipse Jetty=9.2.3-20140905
Eclipse Jetty=9.2.4-20141103
Eclipse Jetty=9.2.5-20141112
Eclipse Jetty=9.2.6-20141203
Eclipse Jetty=9.2.6-20141205
Eclipse Jetty=9.2.7-20150116
Eclipse Jetty=9.2.8-20150217
Eclipse Jetty=9.2.9-20150224
Eclipse Jetty=9.2.10-20150310
Eclipse Jetty=9.2.11-20150528
Eclipse Jetty=9.2.11-20150529
Eclipse Jetty=9.2.11-maintenance_0
Eclipse Jetty=9.2.12-20150709
Eclipse Jetty=9.2.12-maintenance_0
Eclipse Jetty=9.2.13-20150730
Eclipse Jetty=9.2.14-20151106
Eclipse Jetty=9.2.15-20160210
Eclipse Jetty=9.2.16-20160407
Eclipse Jetty=9.2.16-20160414
Eclipse Jetty=9.2.17-20160517
Eclipse Jetty=9.2.18-20160721
Eclipse Jetty=9.2.19-20160908
Eclipse Jetty=9.2.20-20161216
Eclipse Jetty=9.2.21-20170120
Eclipse Jetty=9.2.22-20170606
Eclipse Jetty=9.2.23-20171218
Eclipse Jetty=9.2.24-20180105
Eclipse Jetty=9.2.25-20180606
Eclipse Jetty=9.2.26-20180806
Eclipse Jetty=9.2.27-20190403
Eclipse Jetty=9.3.0-20150601
Eclipse Jetty=9.3.0-20150608
Eclipse Jetty=9.3.0-20150612
Eclipse Jetty=9.3.0-maintenance0
Eclipse Jetty=9.3.0-maintenance1
Eclipse Jetty=9.3.0-maintenance2
Eclipse Jetty=9.3.0-rc0
Eclipse Jetty=9.3.0-rc1
Eclipse Jetty=9.3.1-20150714
Eclipse Jetty=9.3.2-20150730
Eclipse Jetty=9.3.3-20150825
Eclipse Jetty=9.3.3-20150827
Eclipse Jetty=9.3.4-20151005
Eclipse Jetty=9.3.4-20151007
Eclipse Jetty=9.3.4-rc0
Eclipse Jetty=9.3.4-rc1
Eclipse Jetty=9.3.5-20151012
Eclipse Jetty=9.3.6-20151106
Eclipse Jetty=9.3.7-20160115
Eclipse Jetty=9.3.7-rc0
Eclipse Jetty=9.3.7-rc1
Eclipse Jetty=9.3.8-20160311
Eclipse Jetty=9.3.8-20160314
Eclipse Jetty=9.3.8-rc0
Eclipse Jetty=9.3.9-20160517
Eclipse Jetty=9.3.9-maintenance_0
Eclipse Jetty=9.3.9-maintenance_1
Eclipse Jetty=9.3.10-20160621
Eclipse Jetty=9.3.10-maintenance_0
Eclipse Jetty=9.3.11-20160721
Eclipse Jetty=9.3.11-maintenance_0
Eclipse Jetty=9.3.12-20160915
Eclipse Jetty=9.3.13-20161014
Eclipse Jetty=9.3.13-maintenance_0
Eclipse Jetty=9.3.14-20161028
Eclipse Jetty=9.3.15-20161220
Eclipse Jetty=9.3.16-20170119
Eclipse Jetty=9.3.16-20170120
Eclipse Jetty=9.3.17-20170317
Eclipse Jetty=9.3.17-rc0
Eclipse Jetty=9.3.18-20170406
Eclipse Jetty=9.3.19-20170502
Eclipse Jetty=9.3.20-20170531
Eclipse Jetty=9.3.21-20170918
Eclipse Jetty=9.3.21-maintenance_0
Eclipse Jetty=9.3.21-rc0
Eclipse Jetty=9.3.22-20171030
Eclipse Jetty=9.3.23-20180228
Eclipse Jetty=9.3.24-20180605
Eclipse Jetty=9.3.25-20180904
Eclipse Jetty=9.3.26-20190403
Eclipse Jetty=9.4.0-20161207
Eclipse Jetty=9.4.0-20161208
Eclipse Jetty=9.4.0-20180619
Eclipse Jetty=9.4.0-maintenance_0
Eclipse Jetty=9.4.0-maintenance_1
Eclipse Jetty=9.4.0-rc0
Eclipse Jetty=9.4.0-rc1
Eclipse Jetty=9.4.0-rc2
Eclipse Jetty=9.4.0-rc3
Eclipse Jetty=9.4.1-20170120
Eclipse Jetty=9.4.1-20180619
Eclipse Jetty=9.4.2-20170220
Eclipse Jetty=9.4.2-20180619
Eclipse Jetty=9.4.3-20170317
Eclipse Jetty=9.4.3-20180619
Eclipse Jetty=9.4.4-20170410
Eclipse Jetty=9.4.4-20170414
Eclipse Jetty=9.4.4-20180619
Eclipse Jetty=9.4.5-20170502
Eclipse Jetty=9.4.5-20180619
Eclipse Jetty=9.4.6-20170531
Eclipse Jetty=9.4.6-20180619
Eclipse Jetty=9.4.7-20170914
Eclipse Jetty=9.4.7-20180619
Eclipse Jetty=9.4.7-rc0
Eclipse Jetty=9.4.8-20171121
Eclipse Jetty=9.4.8-20180619
Eclipse Jetty=9.4.9-20180320
Eclipse Jetty=9.4.10-20180503
Eclipse Jetty=9.4.10-rc0
Eclipse Jetty=9.4.10-rc1
Eclipse Jetty=9.4.11-20180605
Eclipse Jetty=9.4.12-20180830
Eclipse Jetty=9.4.12-rc0
Eclipse Jetty=9.4.12-rc1
Eclipse Jetty=9.4.12-rc2
Eclipse Jetty=9.4.13-20181111
Eclipse Jetty=9.4.14-20181114
Eclipse Jetty=9.4.15-20190215
NetApp OnCommand System Manager>=3.0<=3.1.3
NetApp Snap Creator Framework
NetApp Snapcenter
NetApp Snapmanager Oracle
NetApp Snapmanager Sap
NetApp Storage Replication Adapter For Clustered Data Ontap Vmware Vsphere>=9.6
NetApp Storage Services Connector
NetApp Vasa Provider For Clustered Data Ontap>=9.6
NetApp Virtual Storage Console Vmware Vsphere>=9.6
NetApp Element Vcenter Server
Oracle AutoVue=21.0.2
Oracle Communications Analytics=12.1.1
Oracle Communications Element Manager=8.0.0
Oracle Communications Element Manager=8.1.0
Oracle Communications Element Manager=8.1.1
Oracle Communications Element Manager=8.2.0
Oracle Communications Services Gatekeeper=6.0
Oracle Communications Services Gatekeeper=6.1
Oracle Communications Services Gatekeeper=7.0
Oracle Communications Session Report Manager=8.0.0
Oracle Communications Session Report Manager=8.1.0
Oracle Communications Session Report Manager=8.1.1
Oracle Communications Session Report Manager=8.2.0
Oracle Communications Session Route Manager=8.0.0
Oracle Communications Session Route Manager=8.1.0
Oracle Communications Session Route Manager=8.1.1
Oracle Communications Session Route Manager=8.2.0
Oracle Data Integrator=12.2.1.3.0
Oracle Data Integrator=12.2.1.4.0
Oracle Endeca Information Discovery Integrator=3.2.0
Oracle Enterprise Manager Base Platform=13.2
Oracle Enterprise Manager Base Platform=13.3
Oracle FLEXCUBE Core Banking>=11.5.0<=11.7.0
Oracle FLEXCUBE Core Banking=5.2.0
Oracle FLEXCUBE Private Banking=12.0.0
Oracle FLEXCUBE Private Banking=12.1.0
Oracle Fmw Platform=12.2.1.3.0
Oracle Fmw Platform=12.2.1.4.0
Oracle Hospitality Guest Access=4.2.0
Oracle Hospitality Guest Access=4.2.1
Oracle Retail Xstore Point of Service=7.1
Oracle Retail Xstore Point of Service=15.0
Oracle Retail Xstore Point of Service=16.0
Oracle Retail Xstore Point of Service=17.0
Oracle Unified Directory=12.2.1.3.0
Oracle Unified Directory=12.2.1.4.0
Debian Debian Linux=9.0
Debian Debian Linux=10.0
IBM GDE<=3.0.0.2

Remediation

Patch Available

https://www.oracle.com/security-alerts/cpuApr2021.html

Patch Available

https://www.oracle.com/security-alerts/cpuapr2020.html

Patch Available

https://www.oracle.com/security-alerts/cpujan2020.html

Patch Available

https://www.oracle.com/security-alerts/cpujan2021.html

Patch Available

https://www.oracle.com/security-alerts/cpujul2020.html

Patch Available

https://www.oracle.com/security-alerts/cpuoct2020.html

Patch Available

https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html

Event History

Apr 18, 2019
CVE Published
12:00 AM
Data Sourced
12:00 AM
RemedyDescriptionSeverityWeaknessAffected Software
Apr 22, 2019
CVE Published
via MITRE·08:14 PM
Data Sourced
via MITRE·08:14 PM
DescriptionWeakness
May 3, 2019
Data Sourced
via Red Hat·11:14 AM
DescriptionSeverityAffected Software

Parent advisories

This vulnerability appears in the following advisories.

Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

Frequently Asked Questions

1

What is the severity of CVE-2019-10247?

The severity of CVE-2019-10247 is medium with a CVSS score of 5.3.

2

How does CVE-2019-10247 affect Eclipse Jetty?

CVE-2019-10247 affects Eclipse Jetty versions 7.x, 8.x, 9.2.27 and older, 9.3.26 and older, and 9.4.16 and older.

3

What is the vulnerability description of CVE-2019-10247?

In Eclipse Jetty versions 7.x, 8.x, 9.2.27 and older, 9.3.26 and older, and 9.4.16 and older, the server running on any OS and Jetty version combination will reveal the configured fully qualified directory base resource location on the output of the 404 error for not finding a Context that matches the request URI allowing an attacker to obtain sensitive information.

4

How can I fix CVE-2019-10247?

To fix CVE-2019-10247, upgrade to Jetty version 9.2.28 or later, 9.3.27 or later, or 9.4.17 or later.

5

Are there any references for CVE-2019-10247?

Yes, here are some references for CVE-2019-10247: [CVE Details](https://www.cve.org/CVERecord?id=CVE-2019-10247), [NVD](https://nvd.nist.gov/vuln/detail/CVE-2019-10247), [Red Hat Bugzilla](https://bugzilla.redhat.com/show_bug.cgi?id=1705993), [Red Hat Security Advisory](https://access.redhat.com/errata/RHSA-2020:0922)

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2026 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203