This Bugzilla instance closed for new bug entry. Eclipse projects now use GitHub or Eclipse GitLab. Please locate your project of interest with the Projects search tool to find the best location for that project's code and issues.
Bug 535670 (CVE-2018-12536) - Jetty: CVE Request: InvalidPathException message
Summary: Jetty: CVE Request: InvalidPathException message
Status: CLOSED FIXED
Alias: CVE-2018-12536
Product: Community
Classification: Eclipse Foundation
Component: Vulnerability Reports (show other bugs)
Version: unspecified   Edit
Hardware: PC Mac OS X
: P3 normal (vote)
Target Milestone: ---   Edit
Assignee: Security vulnerabilitied reported against Eclipse projects CLA
QA Contact:
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2018-06-07 15:38 EDT by Jesse McConnell CLA
Modified: 2023-10-25 03:31 EDT (History)
7 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Jesse McConnell CLA 2018-06-07 15:38:32 EDT
Information Disclosure - InvalidPathException message

When an intentionally bad query arrives that doesn't match a dynamic url-pattern, and is eventually handled by the DefaultServlet's static file serving.
The bad characters can trigger a java.nio.file.InvalidPathException which includes the full path to the base resource directory that the DefaultServlet and/or webapp is using.
This InvalidPathException is then fed to the default Error Handler which presents the InvalidPathException message and/or stacktrace to the HTTP response.
This reveals the path to the requesting system.

CVE Risk: filesystem path to webapp is revealed.

Versions affected:
  No EOL releases - 9.2.x and older (all configurations)
  9.3.x (all configurations)
  9.4.x (all configurations)

Resolved:
  9.3.24.v20180605
  9.4.11.v20180605
Comment 1 Greg Wilkins CLA 2018-06-08 04:18:48 EDT
Found and reported by Okan Coşkun <okan.coskun@biznet.com.tr>
Comment 2 Wayne Beaton CLA 2018-06-18 13:24:07 EDT
How does this sound?

"In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), when an intentionally bad query arrives that doesn't match a dynamic url-pattern, and is eventually handled by the DefaultServlet's static file serving, the bad characters can trigger a java.nio.file.InvalidPathException which includes the full path to the base resource directory that the DefaultServlet and/or webapp is using. This InvalidPathException is then fed to the default Error Handler which presents the InvalidPathException message and/or stacktrace to the HTTP response, revealing the path to the requesting system."
Comment 3 Greg Wilkins CLA 2018-06-18 13:58:30 EDT
Looks good except I would say that osay that it may be passed to the default error handler. Many users override error handling so it may not be the case that information is always exposed.
Comment 4 Joakim Erdfelt CLA 2018-06-18 14:10:34 EDT
(In reply to Wayne Beaton from comment #2)
> How does this sound?
> 
> "In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and
> 9.4.x (non-default configuration with RFC2616 compliance enabled), when an
> intentionally bad query arrives that doesn't match a dynamic url-pattern,
> and is eventually handled by the DefaultServlet's static file serving, the
> bad characters can trigger a java.nio.file.InvalidPathException which
> includes the full path to the base resource directory that the
> DefaultServlet and/or webapp is using. This InvalidPathException is then fed
> to the default Error Handler which presents the InvalidPathException message
> and/or stacktrace to the HTTP response, revealing the path to the requesting
> system."

This is also not limited by configuration.

Perhaps it should read ..

"In Eclipse Jetty Server, all 9.x versions, on webapps deployed using default Error Handling, when an intentionally ..."
Comment 5 Wayne Beaton CLA 2018-06-18 14:32:21 EDT
> CVE Risk: filesystem path to webapp is revealed.

I'm pretty sure that this is https://cwe.mitre.org/data/definitions/209.html

(In reply to Joakim Erdfelt from comment #4)
> This is also not limited by configuration.

So...

"In Eclipse Jetty Server, all 9.x versions, on webapps deployed using default Error Handling, when an intentionally bad query arrives that doesn't match a dynamic url-pattern, and is eventually handled by the DefaultServlet's static file serving, the bad characters can trigger a java.nio.file.InvalidPathException which includes the full path to the base resource directory that the DefaultServlet and/or webapp is using. This InvalidPathException is then fed to the default Error Handler which presents the InvalidPathException message and/or stacktrace to the HTTP response, revealing the path to the requesting system."

Good to go?
Comment 6 Greg Wilkins CLA 2018-06-18 17:05:21 EDT
I would prefer:

"In Eclipse Jetty Server, all 9.x versions, on webapps deployed using default Error Handling, when an intentionally bad query arrives that doesn't match a dynamic url-pattern, and is eventually handled by the DefaultServlet's static file serving, the bad characters can trigger a java.nio.file.InvalidPathException which includes the full path to the base resource directory that the DefaultServlet and/or webapp is using. If this InvalidPathException is then handled by the default Error Handler, the InvalidPathException message is included in the error response, revealing the full server path to the requesting system."
Comment 7 Wayne Beaton CLA 2018-06-27 08:15:52 EDT
Pull request: https://github.com/CVEProject/cvelist/pull/655