Community
Participate
Working Groups
Information Disclosure - InvalidPathException message When an intentionally bad query arrives that doesn't match a dynamic url-pattern, and is eventually handled by the DefaultServlet's static file serving. The bad characters can trigger a java.nio.file.InvalidPathException which includes the full path to the base resource directory that the DefaultServlet and/or webapp is using. This InvalidPathException is then fed to the default Error Handler which presents the InvalidPathException message and/or stacktrace to the HTTP response. This reveals the path to the requesting system. CVE Risk: filesystem path to webapp is revealed. Versions affected: No EOL releases - 9.2.x and older (all configurations) 9.3.x (all configurations) 9.4.x (all configurations) Resolved: 9.3.24.v20180605 9.4.11.v20180605
Found and reported by Okan Coşkun <okan.coskun@biznet.com.tr>
How does this sound? "In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), when an intentionally bad query arrives that doesn't match a dynamic url-pattern, and is eventually handled by the DefaultServlet's static file serving, the bad characters can trigger a java.nio.file.InvalidPathException which includes the full path to the base resource directory that the DefaultServlet and/or webapp is using. This InvalidPathException is then fed to the default Error Handler which presents the InvalidPathException message and/or stacktrace to the HTTP response, revealing the path to the requesting system."
Looks good except I would say that osay that it may be passed to the default error handler. Many users override error handling so it may not be the case that information is always exposed.
(In reply to Wayne Beaton from comment #2) > How does this sound? > > "In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and > 9.4.x (non-default configuration with RFC2616 compliance enabled), when an > intentionally bad query arrives that doesn't match a dynamic url-pattern, > and is eventually handled by the DefaultServlet's static file serving, the > bad characters can trigger a java.nio.file.InvalidPathException which > includes the full path to the base resource directory that the > DefaultServlet and/or webapp is using. This InvalidPathException is then fed > to the default Error Handler which presents the InvalidPathException message > and/or stacktrace to the HTTP response, revealing the path to the requesting > system." This is also not limited by configuration. Perhaps it should read .. "In Eclipse Jetty Server, all 9.x versions, on webapps deployed using default Error Handling, when an intentionally ..."
> CVE Risk: filesystem path to webapp is revealed. I'm pretty sure that this is https://cwe.mitre.org/data/definitions/209.html (In reply to Joakim Erdfelt from comment #4) > This is also not limited by configuration. So... "In Eclipse Jetty Server, all 9.x versions, on webapps deployed using default Error Handling, when an intentionally bad query arrives that doesn't match a dynamic url-pattern, and is eventually handled by the DefaultServlet's static file serving, the bad characters can trigger a java.nio.file.InvalidPathException which includes the full path to the base resource directory that the DefaultServlet and/or webapp is using. This InvalidPathException is then fed to the default Error Handler which presents the InvalidPathException message and/or stacktrace to the HTTP response, revealing the path to the requesting system." Good to go?
I would prefer: "In Eclipse Jetty Server, all 9.x versions, on webapps deployed using default Error Handling, when an intentionally bad query arrives that doesn't match a dynamic url-pattern, and is eventually handled by the DefaultServlet's static file serving, the bad characters can trigger a java.nio.file.InvalidPathException which includes the full path to the base resource directory that the DefaultServlet and/or webapp is using. If this InvalidPathException is then handled by the default Error Handler, the InvalidPathException message is included in the error response, revealing the full server path to the requesting system."
Pull request: https://github.com/CVEProject/cvelist/pull/655