CVE-2019-17632: XSS

Published Nov 25, 2019

Updated

Eclipse Jetty is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability using the error messages to inject malicious script into a Web page which would be executed in a victim's Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials.

Other sources

In Eclipse Jetty versions 9.4.21.v20190926, 9.4.22.v20191022, and 9.4.23.v20191118, the generation of default unhandled Error response content (in text/html and text/json Content-Type) does not escape Exception messages in stacktraces included in error output.

Affected Software

3 affected components

Mortbay Jetty=9.4.21-20190926

Mortbay Jetty=9.4.22-20191022

Mortbay Jetty=9.4.23-20191118

Event History

Nov 25, 2019

CVE Published

via MITRE·09:56 PM

Data Sourced

via MITRE·09:56 PM

DescriptionWeakness

Jun 29, 2021

Data Sourced

via IBM·12:00 AM

DescriptionSeverityAffected Software

Parent advisories

This vulnerability appears in the following advisories.

IBM-6466729

Frequently Asked Questions

What is CVE-2019-17632?

CVE-2019-17632 is a vulnerability in Eclipse Jetty that allows for cross-site scripting attacks.

How does CVE-2019-17632 affect Eclipse Jetty?

CVE-2019-17632 affects Eclipse Jetty versions 9.4.21.v20190926, 9.4.22.v20191022, and 9.4.23.v20191118.

What is the severity of CVE-2019-17632?

CVE-2019-17632 has a severity rating of 6.1, which is considered medium.

How can CVE-2019-17632 be exploited?

CVE-2019-17632 can be exploited by a remote attacker injecting malicious scripts into a web page using error messages.

How can I fix CVE-2019-17632 in Eclipse Jetty?

To fix CVE-2019-17632, make sure to upgrade your Eclipse Jetty installation to a version that includes the necessary patches.