Strix
26.1K

CVE-2019-10241

MEDIUMCVSS 6.1/10EPSS 9.59%

Last modified

CVE-2019-10241 is a medium-severity vulnerability rated 6.1/10 on the CVSS scale. In Eclipse Jetty version 9.2.26 and older, 9.3.25 and older, and 9.4.15 and older, the server is vulnerable to XSS conditions if a remote client USES a specially formatted URL against the DefaultServlet or ResourceHandler that is configured for showing a Listing of directory contents.. EPSS estimates a 9.59% chance of exploitation in the next 30 days.

Description

In Eclipse Jetty version 9.2.26 and older, 9.3.25 and older, and 9.4.15 and older, the server is vulnerable to XSS conditions if a remote client USES a specially formatted URL against the DefaultServlet or ResourceHandler that is configured for showing a Listing of directory contents.

Metrics

CVSS 3.1
6.1/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

EPSS Probability
9.59%

94.9th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

VendorProductVersionsUpdate
EclipseJetty9.2.020140523
EclipseJetty9.2.120140609
EclipseJetty9.2.220140723
EclipseJetty9.2.320140905
EclipseJetty9.2.420141103
EclipseJetty9.2.520141112
EclipseJetty9.2.620141203
EclipseJetty9.2.720150116
EclipseJetty9.2.820150217
EclipseJetty9.2.920150224
EclipseJetty9.2.1020150310
EclipseJetty9.2.1120150528
EclipseJetty9.2.1220150709
EclipseJetty9.2.1320150730
EclipseJetty9.2.1420151106
EclipseJetty9.2.1520160210
EclipseJetty9.2.1620160407
EclipseJetty9.2.1720160517
EclipseJetty9.2.1820160721
EclipseJetty9.2.1920160908
EclipseJetty9.2.2020161216
EclipseJetty9.2.2120170120
EclipseJetty9.2.2220170606
EclipseJetty9.2.2320171218
EclipseJetty9.2.2420180105
EclipseJetty9.2.2520180606
EclipseJetty9.2.2620180806
EclipseJetty9.3.020150601
EclipseJetty9.3.120150714
EclipseJetty9.3.220150730
EclipseJetty9.3.320150825
EclipseJetty9.3.420151005
EclipseJetty9.3.520151012
EclipseJetty9.3.620151106
EclipseJetty9.3.720160115
EclipseJetty9.3.820160311
EclipseJetty9.3.920160517
EclipseJetty9.3.1020160621
EclipseJetty9.3.1120160721
EclipseJetty9.3.1220160915
EclipseJetty9.3.1320161014
EclipseJetty9.3.1420161028
EclipseJetty9.3.1520161220
EclipseJetty9.3.1620170119
EclipseJetty9.3.1720170317
EclipseJetty9.3.1820170406
EclipseJetty9.3.1920170502
EclipseJetty9.3.2020170531
EclipseJetty9.3.2120170918
EclipseJetty9.3.2220171030

Showing 50 of 83 affected configurations. See NVD for the full list.

References

Timeline

Published
Last Modified
Status
Modified

Frequently Asked Questions

What is CVE-2019-10241?
In Eclipse Jetty version 9.2.26 and older, 9.3.25 and older, and 9.4.15 and older, the server is vulnerable to XSS conditions if a remote client USES a specially formatted URL against the DefaultServlet or ResourceHandler that is configured for showing a Listing of directory contents.
How severe is CVE-2019-10241?
CVE-2019-10241 has a CVSS score of 6.1/10 (MEDIUM severity). The EPSS model estimates a 9.59% probability of exploitation in the next 30 days.
How do I fix CVE-2019-10241?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2019-10241?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST