Vulnerability Description
In Eclipse Jetty version 9.2.27, 9.3.26, and 9.4.16, the server running on Windows is vulnerable to exposure of the fully qualified Base Resource directory name on Windows to a remote client when it is configured for showing a Listing of directory contents. This information reveal is restricted to only the content in the configured base resource directories.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Eclipse | Jetty | 9.2.27 |
| Microsoft | Windows | - |
| Netapp | Oncommand System Manager | >= 3.0, <= 3.1.3 |
| Netapp | Snap Creator Framework | - |
| Netapp | Snapcenter | - |
| Netapp | Snapmanager | - |
| Netapp | Storage Replication Adapter For Clustered Data Ontap | >= 9.6 |
| Netapp | Storage Services Connector | - |
| Netapp | Vasa Provider For Clustered Data Ontap | >= 9.6 |
| Netapp | Virtual Storage Console | >= 9.6 |
| Netapp | Element | - |
| Oracle | Autovue | 21.0.2 |
| Oracle | Communications Analytics | 12.1.1 |
| Oracle | Communications Element Manager | 8.0.0 |
| Oracle | Communications Services Gatekeeper | 6.0 |
| Oracle | Communications Session Report Manager | 8.0.0 |
| Oracle | Communications Session Route Manager | 8.0.0 |
| Oracle | Data Integrator | 12.2.1.3.0 |
| Oracle | Endeca Information Discovery Integrator | 3.2.0 |
| Oracle | Enterprise Manager Base Platform | 13.2 |
Related Weaknesses (CWE)
References
- https://bugs.eclipse.org/bugs/show_bug.cgi?id=546576Issue TrackingVendor Advisory
- https://lists.apache.org/thread.html/bcce5a9c532b386c68dab2f6b3ce8b0cc9b950ec551
- https://lists.apache.org/thread.html/rca37935d661f4689cb4119f1b3b224413b22be161b
- https://security.netapp.com/advisory/ntap-20190509-0003/Third Party Advisory
- https://www.oracle.com/security-alerts/cpuApr2021.html
- https://www.oracle.com/security-alerts/cpuapr2020.htmlThird Party Advisory
- https://www.oracle.com/security-alerts/cpujan2020.htmlThird Party Advisory
- https://www.oracle.com/security-alerts/cpujan2021.htmlThird Party Advisory
- https://www.oracle.com/security-alerts/cpujul2020.htmlThird Party Advisory
- https://www.oracle.com/security-alerts/cpuoct2020.htmlThird Party Advisory
- https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.htmlThird Party Advisory
- https://bugs.eclipse.org/bugs/show_bug.cgi?id=546576Issue TrackingVendor Advisory
- https://lists.apache.org/thread.html/bcce5a9c532b386c68dab2f6b3ce8b0cc9b950ec551
- https://lists.apache.org/thread.html/rca37935d661f4689cb4119f1b3b224413b22be161b
- https://security.netapp.com/advisory/ntap-20190509-0003/Third Party Advisory
FAQ
What is CVE-2019-10246?
CVE-2019-10246 is a vulnerability with a CVSS score of 5.3 (MEDIUM). In Eclipse Jetty version 9.2.27, 9.3.26, and 9.4.16, the server running on Windows is vulnerable to exposure of the fully qualified Base Resource directory name on Windows to a remote client when it i...
How severe is CVE-2019-10246?
CVE-2019-10246 has been rated MEDIUM with a CVSS base score of 5.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2019-10246?
Check the references section above for vendor advisories and patch information. Affected products include: Eclipse Jetty, Microsoft Windows, Netapp Oncommand System Manager, Netapp Snap Creator Framework, Netapp Snapcenter.