CVE-2019-10246
Last modified
CVE-2019-10246 is a medium-severity vulnerability rated 5.3/10 on the CVSS scale. In Eclipse Jetty version 9.2.27, 9.3.26, and 9.4.16, the server running on Windows is vulnerable to exposure of the fully qualified Base Resource directory name on Windows to a remote client when it is configured for showing a Listing of directory contents. This information reveal is restricted to only the content in the configured base resource directories.. EPSS estimates a 4.02% chance of exploitation in the next 30 days.
Description
In Eclipse Jetty version 9.2.27, 9.3.26, and 9.4.16, the server running on Windows is vulnerable to exposure of the fully qualified Base Resource directory name on Windows to a remote client when it is configured for showing a Listing of directory contents. This information reveal is restricted to only the content in the configured base resource directories.
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Weakness Enumeration
Affected Software
| Vendor | Product | Versions | Update |
|---|---|---|---|
| Eclipse | Jetty | 9.2.27 | 20190403 |
| Eclipse | Jetty | 9.3.26 | 20190403 |
| Eclipse | Jetty | 9.4.16 | 20190411 |
| Netapp | Oncommand System Manager | >= 3.0, <= 3.1.3 | — |
| Netapp | Snap Creator Framework | All versions | — |
| Netapp | Snapcenter | All versions | — |
| Netapp | Snapmanager | All versions | — |
| Netapp | Storage Replication Adapter For Clustered Data Ontap | >= 9.6 | — |
| Netapp | Storage Replication Adapter For Clustered Data Ontap | 9.6 | — |
| Netapp | Storage Services Connector | All versions | — |
| Netapp | Vasa Provider For Clustered Data Ontap | >= 9.6 | — |
| Netapp | Vasa Provider For Clustered Data Ontap | All versions | — |
| Netapp | Virtual Storage Console | >= 9.6 | — |
| Netapp | Virtual Storage Console | 9.6 | — |
| Netapp | Element | All versions | — |
| Oracle | Autovue | 21.0.2 | — |
| Oracle | Communications Analytics | 12.1.1 | — |
| Oracle | Communications Element Manager | 8.0.0 | — |
| Oracle | Communications Element Manager | 8.1.0 | — |
| Oracle | Communications Element Manager | 8.1.1 | — |
| Oracle | Communications Element Manager | 8.2.0 | — |
| Oracle | Communications Services Gatekeeper | 6.0 | — |
| Oracle | Communications Services Gatekeeper | 6.1 | — |
| Oracle | Communications Services Gatekeeper | 7.0 | — |
| Oracle | Communications Session Report Manager | 8.0.0 | — |
| Oracle | Communications Session Report Manager | 8.1.0 | — |
| Oracle | Communications Session Report Manager | 8.1.1 | — |
| Oracle | Communications Session Report Manager | 8.2.0 | — |
| Oracle | Communications Session Route Manager | 8.0.0 | — |
| Oracle | Communications Session Route Manager | 8.1.0 | — |
| Oracle | Communications Session Route Manager | 8.1.1 | — |
| Oracle | Communications Session Route Manager | 8.2.0 | — |
| Oracle | Data Integrator | 12.2.1.3.0 | — |
| Oracle | Data Integrator | 12.2.1.4.0 | — |
| Oracle | Endeca Information Discovery Integrator | 3.2.0 | — |
| Oracle | Enterprise Manager Base Platform | 13.2 | — |
| Oracle | Enterprise Manager Base Platform | 13.3 | — |
| Oracle | Flexcube Core Banking | >= 11.5.0, <= 11.7.0 | — |
| Oracle | Flexcube Core Banking | 5.2.0 | — |
| Oracle | Flexcube Private Banking | 12.0.0 | — |
| Oracle | Flexcube Private Banking | 12.1.0 | — |
| Oracle | Hospitality Guest Access | 4.2.0 | — |
| Oracle | Hospitality Guest Access | 4.2.1 | — |
| Oracle | Rest Data Services | 11.2.0.4 | — |
| Oracle | Rest Data Services | 12.1.0.2 | — |
| Oracle | Rest Data Services | 12.2.0.1 | — |
| Oracle | Rest Data Services | 18c | — |
| Oracle | Retail Xstore Point Of Service | 7.1 | — |
| Oracle | Retail Xstore Point Of Service | 15.0 | — |
| Oracle | Retail Xstore Point Of Service | 16.0 | — |
Showing 50 of 53 affected configurations. See NVD for the full list.
References
- https://bugs.eclipse.org/bugs/show_bug.cgi?id=546576Issue Tracking, Vendor Advisory
- https://security.netapp.com/advisory/ntap-20190509-0003/Third Party Advisory
- https://www.oracle.com/security-alerts/cpuapr2020.htmlThird Party Advisory
- https://www.oracle.com/security-alerts/cpujan2020.htmlThird Party Advisory
- https://www.oracle.com/security-alerts/cpujan2021.htmlThird Party Advisory
- https://www.oracle.com/security-alerts/cpujul2020.htmlThird Party Advisory
- https://www.oracle.com/security-alerts/cpuoct2020.htmlThird Party Advisory
- https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.htmlThird Party Advisory
- https://bugs.eclipse.org/bugs/show_bug.cgi?id=546576Issue Tracking, Vendor Advisory
- https://security.netapp.com/advisory/ntap-20190509-0003/Third Party Advisory
- https://www.oracle.com/security-alerts/cpuapr2020.htmlThird Party Advisory
- https://www.oracle.com/security-alerts/cpujan2020.htmlThird Party Advisory
- https://www.oracle.com/security-alerts/cpujan2021.htmlThird Party Advisory
- https://www.oracle.com/security-alerts/cpujul2020.htmlThird Party Advisory
- https://www.oracle.com/security-alerts/cpuoct2020.htmlThird Party Advisory
- https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.htmlThird Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2019-10246?
How severe is CVE-2019-10246?
How do I fix CVE-2019-10246?
Are you affected by CVE-2019-10246?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST