{"id":"CVE-2019-10246","details":"In Eclipse Jetty version 9.2.27, 9.3.26, and 9.4.16, the server running on Windows is vulnerable to exposure of the fully qualified Base Resource directory name on Windows to a remote client when it is configured for showing a Listing of directory contents. This information reveal is restricted to only the content in the configured base resource directories.","aliases":["GHSA-r28m-g6j9-r2h5"],"modified":"2026-04-11T12:10:04.066001Z","published":"2019-04-22T20:29:00.303Z","database_specific":{"unresolved_ranges":[{"source":"CPE_FIELD","extracted_events":[{"introduced":"3.0"},{"last_affected":"3.1.3"}],"cpe":"cpe:2.3:a:netapp:oncommand_system_manager:*:*:*:*:*:*:*:*"},{"source":"CPE_FIELD","extracted_events":[{"introduced":"9.6"}],"cpe":"cpe:2.3:a:netapp:storage_replication_adapter_for_clustered_data_ontap:*:*:*:*:*:vmware_vsphere:*:*"},{"source":"CPE_FIELD","extracted_events":[{"last_affected":"9.6"}],"cpe":"cpe:2.3:a:netapp:storage_replication_adapter_for_clustered_data_ontap:9.6:*:*:*:*:*:*:*"},{"source":"CPE_FIELD","extracted_events":[{"introduced":"9.6"}],"cpe":"cpe:2.3:a:netapp:vasa_provider_for_clustered_data_ontap:*:*:*:*:*:*:*:*"},{"source":"CPE_FIELD","extracted_events":[{"introduced":"9.6"}],"cpe":"cpe:2.3:a:netapp:virtual_storage_console:*:*:*:*:*:vmware_vsphere:*:*"},{"source":"CPE_FIELD","extracted_events":[{"last_affected":"9.6"}],"cpe":"cpe:2.3:a:netapp:virtual_storage_console:9.6:*:*:*:*:*:*:*"},{"source":"CPE_FIELD","extracted_events":[{"last_affected":"21.0.2"}],"cpe":"cpe:2.3:a:oracle:autovue:21.0.2:*:*:*:*:*:*:*"},{"source":"CPE_FIELD","extracted_events":[{"last_affected":"8.1.0"}],"cpe":"cpe:2.3:a:oracle:communications_element_manager:8.1.0:*:*:*:*:*:*:*"},{"source":"CPE_FIELD","extracted_events":[{"last_affected":"8.1.1"}],"cpe":"cpe:2.3:a:oracle:communications_element_manager:8.1.1:*:*:*:*:*:*:*"},{"source":"CPE_FIELD","extracted_events":[{"last_affected":"6.0"}],"cpe":"cpe:2.3:a:oracle:communications_services_gatekeeper:6.0:*:*:*:*:*:*:*"},{"source":"CPE_FIELD","extracted_events":[{"last_affected":"6.1"}],"cpe":"cpe:2.3:a:oracle:communications_services_gatekeeper:6.1:*:*:*:*:*:*:*"},{"source":"CPE_FIELD","extracted_events":[{"last_affected":"7.0"}],"cpe":"cpe:2.3:a:oracle:communications_services_gatekeeper:7.0:*:*:*:*:*:*:*"},{"source":"CPE_FIELD","extracted_events":[{"last_affected":"8.1.0"}],"cpe":"cpe:2.3:a:oracle:communications_session_report_manager:8.1.0:*:*:*:*:*:*:*"},{"source":"CPE_FIELD","extracted_events":[{"last_affected":"8.1.1"}],"cpe":"cpe:2.3:a:oracle:communications_session_report_manager:8.1.1:*:*:*:*:*:*:*"},{"source":"CPE_FIELD","extracted_events":[{"last_affected":"8.1.0"}],"cpe":"cpe:2.3:a:oracle:communications_session_route_manager:8.1.0:*:*:*:*:*:*:*"},{"source":"CPE_FIELD","extracted_events":[{"last_affected":"8.1.1"}],"cpe":"cpe:2.3:a:oracle:communications_session_route_manager:8.1.1:*:*:*:*:*:*:*"},{"source":"CPE_FIELD","extracted_events":[{"last_affected":"12.2.1.3.0"}],"cpe":"cpe:2.3:a:oracle:data_integrator:12.2.1.3.0:*:*:*:*:*:*:*"},{"source":"CPE_FIELD","extracted_events":[{"last_affected":"12.2.1.4.0"}],"cpe":"cpe:2.3:a:oracle:data_integrator:12.2.1.4.0:*:*:*:*:*:*:*"},{"source":"CPE_FIELD","extracted_events":[{"last_affected":"3.2.0"}],"cpe":"cpe:2.3:a:oracle:endeca_information_discovery_integrator:3.2.0:*:*:*:*:*:*:*"},{"source":"CPE_FIELD","extracted_events":[{"last_affected":"13.2"}],"cpe":"cpe:2.3:a:oracle:enterprise_manager_base_platform:13.2:*:*:*:*:*:*:*"},{"source":"CPE_FIELD","extracted_events":[{"last_affected":"13.3"}],"cpe":"cpe:2.3:a:oracle:enterprise_manager_base_platform:13.3:*:*:*:*:*:*:*"},{"source":"CPE_FIELD","extracted_events":[{"introduced":"11.5.0"},{"last_affected":"11.7.0"}],"cpe":"cpe:2.3:a:oracle:flexcube_core_banking:*:*:*:*:*:*:*:*"},{"source":"CPE_FIELD","extracted_events":[{"last_affected":"5.2.0"}],"cpe":"cpe:2.3:a:oracle:flexcube_core_banking:5.2.0:*:*:*:*:*:*:*"},{"source":"CPE_FIELD","extracted_events":[{"last_affected":"4.2.0"}],"cpe":"cpe:2.3:a:oracle:hospitality_guest_access:4.2.0:*:*:*:*:*:*:*"},{"source":"CPE_FIELD","extracted_events":[{"last_affected":"4.2.1"}],"cpe":"cpe:2.3:a:oracle:hospitality_guest_access:4.2.1:*:*:*:*:*:*:*"},{"source":"CPE_FIELD","extracted_events":[{"last_affected":"11.2.0.4"}],"cpe":"cpe:2.3:a:oracle:rest_data_services:11.2.0.4:*:*:*:-:*:*:*"},{"source":"CPE_FIELD","extracted_events":[{"last_affected":"12.1.0.2"}],"cpe":"cpe:2.3:a:oracle:rest_data_services:12.1.0.2:*:*:*:-:*:*:*"},{"source":"CPE_FIELD","extracted_events":[{"last_affected":"12.2.0.1"}],"cpe":"cpe:2.3:a:oracle:rest_data_services:12.2.0.1:*:*:*:-:*:*:*"},{"source":"CPE_FIELD","extracted_events":[{"last_affected":"18c"}],"cpe":"cpe:2.3:a:oracle:rest_data_services:18c:*:*:*:-:*:*:*"},{"source":"CPE_FIELD","extracted_events":[{"last_affected":"15.0"}],"cpe":"cpe:2.3:a:oracle:retail_xstore_point_of_service:15.0:*:*:*:*:*:*:*"},{"source":"CPE_FIELD","extracted_events":[{"last_affected":"16.0"}],"cpe":"cpe:2.3:a:oracle:retail_xstore_point_of_service:16.0:*:*:*:*:*:*:*"},{"source":"CPE_FIELD","extracted_events":[{"last_affected":"17.0"}],"cpe":"cpe:2.3:a:oracle:retail_xstore_point_of_service:17.0:*:*:*:*:*:*:*"},{"source":"CPE_FIELD","extracted_events":[{"last_affected":"7.1"}],"cpe":"cpe:2.3:a:oracle:retail_xstore_point_of_service:7.1:*:*:*:*:*:*:*"},{"source":"CPE_FIELD","extracted_events":[{"last_affected":"12.2.1.3.0"}],"cpe":"cpe:2.3:a:oracle:unified_directory:12.2.1.3.0:*:*:*:*:*:*:*"},{"source":"CPE_FIELD","extracted_events":[{"last_affected":"12.2.1.4.0"}],"cpe":"cpe:2.3:a:oracle:unified_directory:12.2.1.4.0:*:*:*:*:*:*:*"}]},"references":[{"type":"WEB","url":"https://lists.apache.org/thread.html/bcce5a9c532b386c68dab2f6b3ce8b0cc9b950ec551766e76391caa3%40%3Ccommits.nifi.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/rca37935d661f4689cb4119f1b3b224413b22be161b678e6e6ce0c69b%40%3Ccommits.nifi.apache.org%3E"},{"type":"WEB","url":"https://www.oracle.com/security-alerts/cpuApr2021.html"},{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20190509-0003/"},{"type":"ADVISORY","url":"https://www.oracle.com/security-alerts/cpuapr2020.html"},{"type":"ADVISORY","url":"https://www.oracle.com/security-alerts/cpujan2020.html"},{"type":"ADVISORY","url":"https://www.oracle.com/security-alerts/cpujan2021.html"},{"type":"ADVISORY","url":"https://www.oracle.com/security-alerts/cpujul2020.html"},{"type":"ADVISORY","url":"https://www.oracle.com/security-alerts/cpuoct2020.html"},{"type":"ADVISORY","url":"https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html"},{"type":"REPORT","url":"https://bugs.eclipse.org/bugs/show_bug.cgi?id=546576"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/jetty/jetty.project","events":[{"introduced":"0"},{"last_affected":"84dfe74b974291cfdba6c855c89d65049bed739e"},{"last_affected":"dae476e369ceca8b77926996dd9cd537472e5415"},{"last_affected":"e0aa4ae4c0fe2e6bb3ecde2eb3e54bc3087b2f52"},{"last_affected":"b7068950f9afa5f1df80e46053eda1d982895b03"},{"last_affected":"e6822fabb0f4c33670771552ba14a5a3aabec239"},{"last_affected":"d790fc77c0ae2fcb46e4b34e8ba960aea19f6823"},{"last_affected":"28100e8da711e44c0722ed10bd413ae862497539"},{"last_affected":"c8372b65bd15404de1444d68902c0455a3a69b64"}],"database_specific":{"source":"CPE_FIELD","extracted_events":[{"introduced":"0"},{"last_affected":"9.2.27-20190403"},{"last_affected":"9.3.26-20190403"},{"last_affected":"9.4.16-20190411"},{"last_affected":"12.1.1"},{"last_affected":"8.0.0"},{"last_affected":"8.2.0"},{"last_affected":"12.0.0"},{"last_affected":"12.1.0"}],"cpe":["cpe:2.3:a:eclipse:jetty:9.2.27:20190403:*:*:*:*:*:*","cpe:2.3:a:eclipse:jetty:9.3.26:20190403:*:*:*:*:*:*","cpe:2.3:a:eclipse:jetty:9.4.16:20190411:*:*:*:*:*:*","cpe:2.3:a:oracle:communications_analytics:12.1.1:*:*:*:*:*:*:*","cpe:2.3:a:oracle:communications_element_manager:8.0.0:*:*:*:*:*:*:*","cpe:2.3:a:oracle:communications_element_manager:8.2.0:*:*:*:*:*:*:*","cpe:2.3:a:oracle:communications_session_report_manager:8.0.0:*:*:*:*:*:*:*","cpe:2.3:a:oracle:communications_session_report_manager:8.2.0:*:*:*:*:*:*:*","cpe:2.3:a:oracle:communications_session_route_manager:8.0.0:*:*:*:*:*:*:*","cpe:2.3:a:oracle:communications_session_route_manager:8.2.0:*:*:*:*:*:*:*","cpe:2.3:a:oracle:flexcube_private_banking:12.0.0:*:*:*:*:*:*:*","cpe:2.3:a:oracle:flexcube_private_banking:12.1.0:*:*:*:*:*:*:*"]}}],"versions":["jetty-11.0.0-alpha0","jetty-11.0.0.beta1","jetty-11.0.0.beta2","jetty-11.0.2","jetty-11.0.8","jetty-11.0.9","jetty-12.0.0.beta2x","jetty-12.0.0.beta3x","jetty-12.0.0x","jetty-12.0.5","jetty-12.0.6","jetty-12.1.0","jetty-12.1.0.beta1","jetty-12.1.1","jetty-8.0.0.M0","jetty-8.0.0.RC0","jetty-8.1.0.RC0","jetty-8.1.13.v20130910","jetty-8.1.13.v20130916","jetty-8.1.14.v20131031","jetty-8.1.15.v20140411","jetty-8.1.16.v20140903","jetty-8.1.18.v20150929","jetty-8.1.19.v20160209","jetty-8.1.20.v20160902","jetty-8.1.21.v20160908","jetty-8.2.0.v20160908","jetty-9.1.0.M0","jetty-9.1.0.RC0","jetty-9.1.0.RC1","jetty-9.1.0.RC2","jetty-9.1.0.v20131115","jetty-9.1.1.v20140108","jetty-9.1.2.v20140210","jetty-9.1.3.v20140225","jetty-9.1.4.v20140401","jetty-9.2.0.M0","jetty-9.2.0.M1","jetty-9.2.0.RC0","jetty-9.2.0.v20140523","jetty-9.2.0.v20140526","jetty-9.2.1.v20140609","jetty-9.2.10.v20150310","jetty-9.2.11.M0","jetty-9.2.11.v20150528","jetty-9.2.11.v20150529","jetty-9.2.12.M0","jetty-9.2.12.v20150709","jetty-9.2.13.v20150730","jetty-9.2.15.v20160210","jetty-9.2.18.v20160721","jetty-9.2.19.v20160908","jetty-9.2.2.v20140723","jetty-9.2.20.v20161216","jetty-9.2.21.v20170120","jetty-9.2.22.v20170606","jetty-9.2.23.v20171218","jetty-9.2.26.v20180806","jetty-9.2.27.v20190403","jetty-9.2.3.v20140905","jetty-9.2.4.v20141103","jetty-9.2.5.v20141112","jetty-9.2.6.v20141203","jetty-9.2.6.v20141205","jetty-9.2.7.v20150116","jetty-9.2.8.v20150217","jetty-9.2.9.v20150224","jetty-9.3.13.M0","jetty-9.3.17.v20170317","jetty-9.3.18.v20170406","jetty-9.3.19.v20170502","jetty-9.3.23.v20180228","jetty-9.3.24.v20180605","jetty-9.3.25.v20180904","jetty-9.3.26.v20190403","jetty-9.3.4.v20151007","jetty-9.3.7.RC1","jetty-9.3.7.v20160115","jetty-9.4.10.v20180503","jetty-9.4.12.v20180830","jetty-9.4.13.v20181111","jetty-9.4.14.v20181114","jetty-9.4.15.v20190215","jetty-9.4.16.v20190411","jetty-9.4.2.v20170220","jetty-9.4.6.v20170531"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2019-10246.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"}]}