https://bugzilla.redhat.com/show_bug.cgi?id=1705993
Bug ID: 1705993 Summary: CVE-2019-10247 jetty: error path information disclosure Product: Security Response Hardware: All OS: Linux Status: NEW Whiteboard: impact=moderate,public=20190418,reported=20190423,sour ce=cve,cvss3=5.3/CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/ I:N/A:N,cwe=CWE-200,fedora-all/jetty=affected,fuse-6/j etty=new,fuse-7/jetty=new,rhn_satellite_5/jetty=new,rh scl-3/rh-java-common-jetty=new,rhel-6/jetty-eclipse=ne w,rhel-7/jetty=new Component: vulnerability Keywords: Security Severity: medium Priority: medium Assignee: security-response-team@redhat.com Reporter: darunesh@redhat.com CC: aileenc@redhat.com, bkearney@redhat.com, chazlett@redhat.com, decathorpe@gmail.com, eclipse-sig@lists.fedoraproject.org, ggainey@redhat.com, hhorak@redhat.com, janstey@redhat.com, java-maint@redhat.com, java-sig-commits@lists.fedoraproject.org, jjohnstn@redhat.com, jochrist@redhat.com, jorton@redhat.com, krzysztof.daniel@gmail.com, mizdebsk@redhat.com, sochotni@redhat.com, stewardship-sig@lists.fedoraproject.org, tlestach@redhat.com Target Milestone: --- Classification: Other
In Eclipse Jetty version 7.x, 8.x, 9.2.27 and older, 9.3.26 and older, and 9.4.16 and older, the server running on any OS and Jetty version combination will reveal the configured fully qualified directory base resource location on the output of the 404 error for not finding a Context that matches the requested path. The default server behavior on jetty-distribution and jetty-home will include at the end of the Handler tree a DefaultHandler, which is responsible for reporting this 404 error, it presents the various configured contexts as HTML for users to click through to. This produced HTML includes output that contains the configured fully qualified directory base resource location for each context.
Reference: https://bugs.eclipse.org/bugs/show_bug.cgi?id=546577
https://bugzilla.redhat.com/show_bug.cgi?id=1705993
Dhananjay Arunesh darunesh@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1705994
--- Comment #1 from Dhananjay Arunesh darunesh@redhat.com --- Created jetty tracking bugs for this issue:
Affects: fedora-all [bug 1705994]
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=1705994 [Bug 1705994] CVE-2019-10247 jetty: error path information disclosure [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1705993
Dhananjay Arunesh darunesh@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Blocks| |1705926
https://bugzilla.redhat.com/show_bug.cgi?id=1705993
--- Comment #2 from Joshua Padman jpadman@redhat.com --- This vulnerability is out of security support scope for the following product: * Red Hat JBoss Fuse 6
Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.
https://bugzilla.redhat.com/show_bug.cgi?id=1705993
Cedric Buissart 🐶 cbuissar@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|impact=moderate,public=2019 |impact=moderate,public=2019 |0418,reported=20190423,sour |0418,reported=20190423,sour |ce=cve,cvss3=5.3/CVSS:3.0/A |ce=cve,cvss3=5.3/CVSS:3.0/A |V:N/AC:L/PR:N/UI:N/S:U/C:L/ |V:N/AC:L/PR:N/UI:N/S:U/C:L/ |I:N/A:N,cwe=CWE-200,fedora- |I:N/A:N,cwe=CWE-200,fedora- |all/jetty=affected,fuse-6/j |all/jetty=affected,fuse-6/j |etty=new,fuse-7/jetty=new,r |etty=new,fuse-7/jetty=new,r |hn_satellite_5/jetty=new,rh |hn_satellite_5/nutch=new/im |scl-3/rh-java-common-jetty= |pact=low,rhscl-3/rh-java-co |new,rhel-6/jetty-eclipse=ne |mmon-jetty=new,rhel-6/jetty |w,rhel-7/jetty=new |-eclipse=new,rhel-7/jetty=n | |ew
https://bugzilla.redhat.com/show_bug.cgi?id=1705993
--- Comment #3 from Cedric Buissart 🐶 cbuissar@redhat.com --- Statement:
This issue affects the versions of jetty which is embedded in the nutch package as shipped with Red Hat Satellite 5. The jetty server is not exposed, as such exploitation is difficult, Red Hat Product Security has rated this issue as having security impact of Low in the context of Red Hat Satellite 5. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.
https://bugzilla.redhat.com/show_bug.cgi?id=1705993 Bug 1705993 depends on bug 1705994, which changed state.
Bug 1705994 Summary: CVE-2019-10247 jetty: error path information disclosure [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1705994
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution|--- |RAWHIDE
https://bugzilla.redhat.com/show_bug.cgi?id=1705993
Doran Moppert dmoppert@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Priority|medium |low Fixed In Version| |jetty 9.2.28, jetty 9.3.27, | |jetty 9.4.16 Severity|medium |low
https://bugzilla.redhat.com/show_bug.cgi?id=1705993
Jonathan Christison jochrist@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |ataylor@redhat.com, | |drieden@redhat.com, | |ganandan@redhat.com, | |ggaughan@redhat.com, | |jwon@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1705993
--- Comment #9 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat AMQ
Via RHSA-2020:0922 https://access.redhat.com/errata/RHSA-2020:0922
https://bugzilla.redhat.com/show_bug.cgi?id=1705993
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHSA-2020:0922
https://bugzilla.redhat.com/show_bug.cgi?id=1705993
Product Security DevOps Team prodsec-dev@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution|--- |ERRATA Last Closed| |2020-03-23 10:32:18
--- Comment #10 from Product Security DevOps Team prodsec-dev@redhat.com --- This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):
https://access.redhat.com/security/cve/cve-2019-10247
https://bugzilla.redhat.com/show_bug.cgi?id=1705993
--- Comment #11 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat AMQ 7.4.3
Via RHSA-2020:1445 https://access.redhat.com/errata/RHSA-2020:1445
https://bugzilla.redhat.com/show_bug.cgi?id=1705993
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHSA-2020:1445
eclipse-sig@lists.stg.fedoraproject.org