In Eclipse Jetty Server, all 9.x versions, on webapps deployed using default Error Handling, when an intentionally bad query arrives that doesn't match a dynamic url-pattern, and is eventually handled by the DefaultServlet's static file serving, the bad characters can trigger a java.nio.file.InvalidPathException which includes the full path to the base resource directory that the DefaultServlet and/or webapp is using. If this InvalidPathException is then handled by the default Error Handler, the InvalidPathException message is included in the error response, revealing the full server path to the requesting system.
CVE-2018-12536 - Medium Severity Vulnerability
Vulnerable Libraries - jetty-servlet-9.4.0.v20161208.jar, jetty-server-9.4.0.v20161208.jar
jetty-servlet-9.4.0.v20161208.jar
Jetty Servlet Container
Library home page: http://www.eclipse.org/jetty
Path to dependency file: /tc-bbn-kafka/pom.xml
Path to vulnerable library: /eclipse/jetty/jetty-servlet/9.4.0.v20161208/jetty-servlet-9.4.0.v20161208.jar
Dependency Hierarchy: - :x: **jetty-servlet-9.4.0.v20161208.jar** (Vulnerable Library)
jetty-server-9.4.0.v20161208.jar
The core jetty server artifact.
Library home page: http://www.eclipse.org/jetty
Path to dependency file: /tc-bbn-kafka/pom.xml
Path to vulnerable library: /eclipse/jetty/jetty-server/9.4.0.v20161208/jetty-server-9.4.0.v20161208.jar
Dependency Hierarchy: - :x: **jetty-server-9.4.0.v20161208.jar** (Vulnerable Library)
Found in HEAD commit: 2c226dda8de79bfd0db3e278181aebf361463b78
Found in base branch: master
Vulnerability Details
In Eclipse Jetty Server, all 9.x versions, on webapps deployed using default Error Handling, when an intentionally bad query arrives that doesn't match a dynamic url-pattern, and is eventually handled by the DefaultServlet's static file serving, the bad characters can trigger a java.nio.file.InvalidPathException which includes the full path to the base resource directory that the DefaultServlet and/or webapp is using. If this InvalidPathException is then handled by the default Error Handler, the InvalidPathException message is included in the error response, revealing the full server path to the requesting system.
Publish Date: 2018-06-27
URL: CVE-2018-12536
CVSS 3 Score Details (5.3)
Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: None - Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://github.com/eclipse/jetty.project/commit/ad4dceb1c08679baa2a6a64356fcde5309e13fd8
Release Date: 2018-06-27
Fix Resolution: org.eclipse.jetty:jetty-server:9.3.24.v20180605,9.4.11.v20180605,org.eclipse.jetty:jetty-util:9.3.24.v20180605,9.4.11.v20180605,org.eclipse.jetty:jetty-servlet:9.3.24.v20180605,9.4.11.v20180605
:rescue_worker_helmet: Automatic Remediation is available for this issue