[Bug 1705924] New: CVE-2019-10241 jetty: using specially formatted URL against DefaultServlet or ResourceHandler leads to XSS conditions
https://bugzilla.redhat.com/show_bug.cgi?id=1705924
Bug ID: 1705924 Summary: CVE-2019-10241 jetty: using specially formatted URL against DefaultServlet or ResourceHandler leads to XSS conditions Product: Security Response Hardware: All OS: Linux Status: NEW Whiteboard: impact=moderate,public=20190422,reported=20190423,sour ce=cve,cvss3=4.7/CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/ I:L/A:N,cwe=CWE-79,fedora-all/jetty=affected,rhel-6/je tty-eclipse=new,rhel-7/jetty=new,fuse-6/jetty=new,fuse -7/jetty=new,rhn_satellite_5/jetty=new,rhscl-3/rh-java -common-jetty=new Component: vulnerability Keywords: Security Severity: medium Priority: medium Assignee: security-response-team@redhat.com Reporter: mrehak@redhat.com CC: aileenc@redhat.com, bkearney@redhat.com, chazlett@redhat.com, decathorpe@gmail.com, eclipse-sig@lists.fedoraproject.org, ggainey@redhat.com, hhorak@redhat.com, janstey@redhat.com, java-maint@redhat.com, java-sig-commits@lists.fedoraproject.org, jjohnstn@redhat.com, jochrist@redhat.com, jorton@redhat.com, krzysztof.daniel@gmail.com, mizdebsk@redhat.com, sochotni@redhat.com, stewardship-sig@lists.fedoraproject.org, tlestach@redhat.com Target Milestone: --- Classification: Other
In Eclipse Jetty version 9.2.26 and older, 9.3.25 and older, and 9.4.15 and older, the server is vulnerable to XSS conditions if a remote client USES a specially formatted URL against the DefaultServlet or ResourceHandler that is configured for showing a Listing of directory contents.
External References: https://bugs.eclipse.org/bugs/show_bug.cgi?id=546121
https://bugzilla.redhat.com/show_bug.cgi?id=1705924
Marian Rehak mrehak@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1705925
--- Comment #1 from Marian Rehak mrehak@redhat.com --- Created jetty tracking bugs for this issue:
Affects: fedora-all [bug 1705925]
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=1705925 [Bug 1705925] CVE-2019-10241 jetty: using specially formatted URL against DefaultServlet or ResourceHandler leads to XSS conditions [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1705924
Marian Rehak mrehak@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Blocks| |1705926
https://bugzilla.redhat.com/show_bug.cgi?id=1705924
Yogendra Jog yjog@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |cbuissar@redhat.com Flags| |needinfo?(cbuissar@redhat.c | |om)
--- Comment #2 from Yogendra Jog yjog@redhat.com --- As discussed with Cedric, review this for SAT5.8, moderate impact - if the impact is same for SAT5.8 it need to be closed as NEW:OOSS ?
Regards YOG
https://bugzilla.redhat.com/show_bug.cgi?id=1705924
Yogendra Jog yjog@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |yjog@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1705924
Yogendra Jog yjog@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Flags|needinfo?(cbuissar@redhat.c | |om) |
https://bugzilla.redhat.com/show_bug.cgi?id=1705924
--- Comment #3 from Joshua Padman jpadman@redhat.com --- This vulnerability is out of security support scope for the following product: * Red Hat JBoss Fuse 6
Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.
https://bugzilla.redhat.com/show_bug.cgi?id=1705924
Cedric Buissart 🐶 cbuissar@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|impact=moderate,public=2019 |impact=moderate,public=2019 |0422,reported=20190423,sour |0422,reported=20190423,sour |ce=cve,cvss3=4.7/CVSS:3.0/A |ce=cve,cvss3=4.7/CVSS:3.0/A |V:N/AC:L/PR:N/UI:R/S:C/C:N/ |V:N/AC:L/PR:N/UI:R/S:C/C:N/ |I:L/A:N,cwe=CWE-79,fedora-a |I:L/A:N,cwe=CWE-79,fedora-a |ll/jetty=affected,rhel-6/je |ll/jetty=affected,rhel-6/je |tty-eclipse=new,rhel-7/jett |tty-eclipse=new,rhel-7/jett |y=new,fuse-6/jetty=new,fuse |y=new,fuse-6/jetty=new,fuse |-7/jetty=new,rhn_satellite_ |-7/jetty=new,rhn_satellite_ |5/jetty=new,rhscl-3/rh-java |5/nutch=new/impact=low,rhsc |-common-jetty=new |l-3/rh-java-common-jetty=ne | |w
https://bugzilla.redhat.com/show_bug.cgi?id=1705924
--- Comment #4 from Cedric Buissart 🐶 cbuissar@redhat.com --- Statement:
This issue affects the versions of jetty which is embedded in the nutch package as shipped with Red Hat Satellite 5. The jetty server is not exposed, as such exploitation is difficult, Red Hat Product Security has rated this issue as having security impact of Low in the context of Red Hat Satellite 5. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.
https://bugzilla.redhat.com/show_bug.cgi?id=1705924 Bug 1705924 depends on bug 1705925, which changed state.
Bug 1705925 Summary: CVE-2019-10241 jetty: using specially formatted URL against DefaultServlet or ResourceHandler leads to XSS conditions [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1705925
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution|--- |RAWHIDE
https://bugzilla.redhat.com/show_bug.cgi?id=1705924
Doran Moppert dmoppert@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Fixed In Version| |jetty 9.2.27, jetty 9.3.26, | |jetty 9.4.16
https://bugzilla.redhat.com/show_bug.cgi?id=1705924
Jonathan Christison jochrist@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |ataylor@redhat.com, | |drieden@redhat.com, | |ganandan@redhat.com, | |ggaughan@redhat.com, | |jwon@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1705924
--- Comment #10 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat AMQ
Via RHSA-2020:0922 https://access.redhat.com/errata/RHSA-2020:0922
https://bugzilla.redhat.com/show_bug.cgi?id=1705924
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHSA-2020:0922
https://bugzilla.redhat.com/show_bug.cgi?id=1705924
Product Security DevOps Team prodsec-dev@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution|--- |ERRATA Last Closed| |2020-03-23 10:32:12
--- Comment #11 from Product Security DevOps Team prodsec-dev@redhat.com --- This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):
https://access.redhat.com/security/cve/cve-2019-10241
https://bugzilla.redhat.com/show_bug.cgi?id=1705924
--- Comment #12 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat AMQ 7.4.3
Via RHSA-2020:1445 https://access.redhat.com/errata/RHSA-2020:1445
https://bugzilla.redhat.com/show_bug.cgi?id=1705924
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHSA-2020:1445
eclipse-sig@lists.stg.fedoraproject.org
-
bugzilla@redhat.com