CVE-2019-10247

Name: CVE-2019-10247
Creator: NVD / NIST
Published: 2019-04-22T20:29:00.367+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

MEDIUMCVSS 5.3/10EPSS 5.78%

Last modified Jun 17, 2026

CVE-2019-10247 is a medium-severity vulnerability rated 5.3/10 on the CVSS scale. In Eclipse Jetty version 7.x, 8.x, 9.2.27 and older, 9.3.26 and older, and 9.4.16 and older, the server running on any OS and Jetty version combination will reveal the configured fully qualified directory base resource location on the output of the 404 error for not finding a Context that matches the requested path. The default server behavior on jetty-distribution and jetty-home will include at the end of the Handler tree a DefaultHandler, which is responsible for reporting this 404 error, it presents the various configured contexts as HTML for users to click through to. EPSS estimates a 5.78% chance of exploitation in the next 30 days.

Description

In Eclipse Jetty version 7.x, 8.x, 9.2.27 and older, 9.3.26 and older, and 9.4.16 and older, the server running on any OS and Jetty version combination will reveal the configured fully qualified directory base resource location on the output of the 404 error for not finding a Context that matches the requested path. The default server behavior on jetty-distribution and jetty-home will include at the end of the Handler tree a DefaultHandler, which is responsible for reporting this 404 error, it presents the various configured contexts as HTML for users to click through to. This produced HTML includes output that contains the configured fully qualified directory base resource location for each context.

Metrics

CVSS 3.1

5.3/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

EPSS Probability

5.78%

92.1th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

Vendor	Product	Versions	Update
Eclipse	Jetty	7.0.0	20091005
Eclipse	Jetty	7.0.1	20091125
Eclipse	Jetty	7.0.2	20100331
Eclipse	Jetty	7.1.0	20100505
Eclipse	Jetty	7.1.1	20100517
Eclipse	Jetty	7.1.2	20100523
Eclipse	Jetty	7.1.3	20100526
Eclipse	Jetty	7.1.4	20100610
Eclipse	Jetty	7.1.5	20100705
Eclipse	Jetty	7.1.6	20100715
Eclipse	Jetty	7.2.0	20101020
Eclipse	Jetty	7.2.1	20101111
Eclipse	Jetty	7.2.2	20101205
Eclipse	Jetty	7.3.0	20110203
Eclipse	Jetty	7.3.1	20110307
Eclipse	Jetty	7.4.0	20110414
Eclipse	Jetty	7.4.1	20110513
Eclipse	Jetty	7.4.2	20110526
Eclipse	Jetty	7.4.3	20110630
Eclipse	Jetty	7.4.4	20110707
Eclipse	Jetty	7.4.5	20110725
Eclipse	Jetty	7.5.0	20110901
Eclipse	Jetty	7.5.1	20110908
Eclipse	Jetty	7.5.2	20111006
Eclipse	Jetty	7.5.3	20111011
Eclipse	Jetty	7.5.4	20111024
Eclipse	Jetty	7.6.0	20120125
Eclipse	Jetty	7.6.1	20120215
Eclipse	Jetty	7.6.2	20120302
Eclipse	Jetty	7.6.3	20120413
Eclipse	Jetty	7.6.4	20120522
Eclipse	Jetty	7.6.5	20120713
Eclipse	Jetty	7.6.6	20120903
Eclipse	Jetty	7.6.7	20120910
Eclipse	Jetty	7.6.8	20121106
Eclipse	Jetty	7.6.9	20130131
Eclipse	Jetty	7.6.10	20130312
Eclipse	Jetty	7.6.11	20130520
Eclipse	Jetty	7.6.12	20130726
Eclipse	Jetty	7.6.13	20130910
Eclipse	Jetty	7.6.14	20131031
Eclipse	Jetty	7.6.15	20140411
Eclipse	Jetty	7.6.16	20140903
Eclipse	Jetty	7.6.17	20150415
Eclipse	Jetty	7.6.18	20150929
Eclipse	Jetty	7.6.19	20160209
Eclipse	Jetty	7.6.20	20160902
Eclipse	Jetty	7.6.21	20160908
Eclipse	Jetty	8.0.0	20110901
Eclipse	Jetty	8.0.1	20110908

Showing 50 of 210 affected configurations. See NVD for the full list.

References

https://bugs.eclipse.org/bugs/show_bug.cgi?id=546577Issue Tracking, Vendor Advisory
https://lists.apache.org/thread.html/053d9ce4d579b02203db18545fee5e33f35f2932885459b74d1e4272%40%3Cissues.activemq.apache.org%3E
https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3E
https://lists.apache.org/thread.html/ac51944aef91dd5006b8510b0bef337adaccfe962fb90e7af9c22db4%40%3Cissues.activemq.apache.org%3E
https://lists.apache.org/thread.html/bcce5a9c532b386c68dab2f6b3ce8b0cc9b950ec551766e76391caa3%40%3Ccommits.nifi.apache.org%3E
https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3Cissues.drill.apache.org%3E
https://lists.apache.org/thread.html/rca37935d661f4689cb4119f1b3b224413b22be161b678e6e6ce0c69b%40%3Ccommits.nifi.apache.org%3E
https://lists.debian.org/debian-lts-announce/2021/05/msg00016.htmlMailing List, Third Party Advisory
https://security.netapp.com/advisory/ntap-20190509-0003/Third Party Advisory
https://www.debian.org/security/2021/dsa-4949Third Party Advisory
https://www.oracle.com/security-alerts/cpuApr2021.htmlPatch, Third Party Advisory
https://www.oracle.com/security-alerts/cpuapr2020.htmlPatch, Third Party Advisory
https://www.oracle.com/security-alerts/cpuapr2022.htmlThird Party Advisory
https://www.oracle.com/security-alerts/cpujan2020.htmlPatch, Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2021.htmlPatch, Third Party Advisory
https://www.oracle.com/security-alerts/cpujul2020.htmlPatch, Third Party Advisory
https://www.oracle.com/security-alerts/cpuoct2020.htmlPatch, Third Party Advisory
https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.htmlPatch, Third Party Advisory
https://bugs.eclipse.org/bugs/show_bug.cgi?id=546577Issue Tracking, Vendor Advisory
https://lists.apache.org/thread.html/053d9ce4d579b02203db18545fee5e33f35f2932885459b74d1e4272%40%3Cissues.activemq.apache.org%3E
https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3E
https://lists.apache.org/thread.html/ac51944aef91dd5006b8510b0bef337adaccfe962fb90e7af9c22db4%40%3Cissues.activemq.apache.org%3E
https://lists.apache.org/thread.html/bcce5a9c532b386c68dab2f6b3ce8b0cc9b950ec551766e76391caa3%40%3Ccommits.nifi.apache.org%3E
https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3Cissues.drill.apache.org%3E
https://lists.apache.org/thread.html/rca37935d661f4689cb4119f1b3b224413b22be161b678e6e6ce0c69b%40%3Ccommits.nifi.apache.org%3E
https://lists.debian.org/debian-lts-announce/2021/05/msg00016.htmlMailing List, Third Party Advisory
https://security.netapp.com/advisory/ntap-20190509-0003/Third Party Advisory
https://www.debian.org/security/2021/dsa-4949Third Party Advisory
https://www.oracle.com/security-alerts/cpuApr2021.htmlPatch, Third Party Advisory
https://www.oracle.com/security-alerts/cpuapr2020.htmlPatch, Third Party Advisory
https://www.oracle.com/security-alerts/cpuapr2022.htmlThird Party Advisory
https://www.oracle.com/security-alerts/cpujan2020.htmlPatch, Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2021.htmlPatch, Third Party Advisory
https://www.oracle.com/security-alerts/cpujul2020.htmlPatch, Third Party Advisory
https://www.oracle.com/security-alerts/cpuoct2020.htmlPatch, Third Party Advisory
https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.htmlPatch, Third Party Advisory

Timeline

Published: Apr 22, 2019
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2019-10247?

How severe is CVE-2019-10247?

CVE-2019-10247 has a CVSS score of 5.3/10 (MEDIUM severity). The EPSS model estimates a 5.78% probability of exploitation in the next 30 days.

How do I fix CVE-2019-10247?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2019-10247?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST