CVE-2018-12536
See a problem?- Source
- https://nvd.nist.gov/vuln/detail/CVE-2018-12536
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2018-12536.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2018-12536
- Aliases
- Related
- Published
- 2018-06-27T17:29:00Z
- Modified
- 2024-09-03T02:24:29.869866Z
- Severity
-
- 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
- Summary
- [none]
- Details
-
In Eclipse Jetty Server, all 9.x versions, on webapps deployed using default Error Handling, when an intentionally bad query arrives that doesn't match a dynamic url-pattern, and is eventually handled by the DefaultServlet's static file serving, the bad characters can trigger a java.nio.file.InvalidPathException which includes the full path to the base resource directory that the DefaultServlet and/or webapp is using. If this InvalidPathException is then handled by the default Error Handler, the InvalidPathException message is included in the error response, revealing the full server path to the requesting system.
- References
-
- http://www.securitytracker.com/id/1041194
- https://bugs.eclipse.org/bugs/show_bug.cgi?id=535670
- https://security.netapp.com/advisory/ntap-20181014-0001/
- https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
- https://lists.apache.org/thread.html/053d9ce4d579b02203db18545fee5e33f35f2932885459b74d1e4272%40%3Cissues.activemq.apache.org%3E
- https://lists.debian.org/debian-lts-announce/2021/05/msg00016.html
- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbst03953en_us
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://security-tracker.debian.org/tracker/CVE-2018-12536
Affected packages
Debian:11 / jetty9
Package
- Name
- jetty9
- Purl
- pkg:deb/debian/jetty9?arch=source
Debian:12 / jetty9
Package
- Name
- jetty9
- Purl
- pkg:deb/debian/jetty9?arch=source
Debian:13 / jetty9
Package
- Name
- jetty9
- Purl
- pkg:deb/debian/jetty9?arch=source
Git / github.com/eclipse/jetty.project
Affected ranges
- Type
- GIT
- Repo
- https://github.com/eclipse/jetty.project
- Events
- Type
- GIT
- Repo
- https://github.com/jetty/jetty.project
- Events
Affected versions
jetty-9.*
jetty-9.2.10.v20150310
jetty-9.2.11.M0
jetty-9.2.11.v20150528
jetty-9.2.11.v20150529
jetty-9.2.12.M0
jetty-9.2.12.v20150709
jetty-9.2.13.v20150730
jetty-9.2.14.v20151106
jetty-9.2.15.v20160210
jetty-9.2.16.v20160414
jetty-9.2.17.v20160517
jetty-9.2.18.v20160721
jetty-9.2.19.v20160908
jetty-9.2.20.v20161216
jetty-9.2.21.v20170120
jetty-9.2.22.v20170606
jetty-9.2.23.v20171218
jetty-9.2.24.v20180105
jetty-9.2.4.v20141103
jetty-9.2.5.v20141112
jetty-9.2.6.v20141203
jetty-9.2.6.v20141205
jetty-9.2.7.v20150116
jetty-9.2.8.v20150217
jetty-9.2.9.v20150224
jetty-9.3.0.M0
jetty-9.3.0.v20150612
jetty-9.3.1.v20150714
jetty-9.3.10.M0
jetty-9.3.10.v20160621
jetty-9.3.11.M0
jetty-9.3.11.v20160721
jetty-9.3.12.v20160915
jetty-9.3.13.M0
jetty-9.3.13.v20161014
jetty-9.3.14.v20161028
jetty-9.3.15.v20161220
jetty-9.3.16.v20170120
jetty-9.3.17.v20170317
jetty-9.3.18.v20170406
jetty-9.3.19.v20170502
jetty-9.3.20.v20170531
jetty-9.3.21.M0
jetty-9.3.21.v20170918
jetty-9.3.22.v20171030
jetty-9.3.23.v20180228
jetty-9.3.3.v20150825
jetty-9.3.3.v20150827
jetty-9.3.4.v20151007
jetty-9.3.5.v20151012
jetty-9.3.6.v20151106
jetty-9.3.7.RC0
jetty-9.3.7.RC1
jetty-9.3.7.v20160115
jetty-9.3.8.RC0
jetty-9.3.8.v20160314
jetty-9.3.9.M1
jetty-9.3.9.v20160517