This Bugzilla instance closed for new bug entry. Eclipse projects now use GitHub or Eclipse GitLab. Please locate your project of interest with the Projects search tool to find the best location for that project's code and issues.
Bug 546121 (CVE-2019-10241) - Jetty CVE Request: DefaultServlet / ResourceHandler XSS
Summary: Jetty CVE Request: DefaultServlet / ResourceHandler XSS
Status: RESOLVED FIXED
Alias: CVE-2019-10241
Product: Community
Classification: Eclipse Foundation
Component: Vulnerability Reports (show other bugs)
Version: unspecified   Edit
Hardware: All All
: P3 normal (vote)
Target Milestone: ---   Edit
Assignee: Security vulnerabilitied reported against Eclipse projects CLA
QA Contact:
URL: https://cve.mitre.org/cgi-bin/cvename...
Whiteboard:
Keywords: security
Depends on:
Blocks:
 
Reported: 2019-04-04 11:48 EDT by Joakim Erdfelt CLA
Modified: 2023-08-31 11:40 EDT (History)
5 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Joakim Erdfelt CLA 2019-04-04 11:48:17 EDT
This is an informational CVE only.

---

The server is vulnerable to XSS conditions if a remote client USES a
specially formatted URL against the DefaultServlet or ResourceHandler
that is configured for showing a Listing of directory contents.

CVE Risk: XSS

Versions affected: 
  9.2.26 and older (now EOL)
  9.3.25 and older
  9.4.15 and older

Resolved:
  9.2.27 (soon to be released)
  9.3.26 (released)
  9.4.16 (soon to be released)
Comment 1 Wayne Beaton CLA 2019-04-04 11:54:05 EDT
Let's use CVE-2019-10241.

Let me know when you're ready to remove the "committers only" flag and disclose.
Comment 2 Joakim Erdfelt CLA 2019-04-18 16:46:35 EDT
CVSS base score is

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N/E:F
Comment 3 Joakim Erdfelt CLA 2019-04-18 16:55:18 EDT
Please publish on Monday April 22nd.

These is the text we should include in the CVE report ...

--(start)--

The server is vulnerable to XSS conditions if a remote client USES a
specially formatted URL against the DefaultServlet or ResourceHandler
that is configured for showing a Listing of directory contents.

CVE Risk: XSS

Versions affected: 
  9.2.26 and older (now EOL)
  9.3.25 and older
  9.4.15 and older

Resolved:
  9.2.27.v20190403
  9.3.26.v20190403
  9.4.16.v20190411

--(end)--
Comment 4 Jesse McConnell CLA 2019-04-18 17:32:03 EDT
In lieu of the CVSS, lets go with CWE-79.
Comment 5 Wayne Beaton CLA 2019-04-22 13:43:51 EDT
Pull request: https://github.com/CVEProject/cvelist/pull/1931