CVE-2019-10246 in Jetty
Summary
by MITRE
In Eclipse Jetty version 9.2.27, 9.3.26, and 9.4.16, the server running on Windows is vulnerable to exposure of the fully qualified Base Resource directory name on Windows to a remote client when it is configured for showing a Listing of directory contents. This information reveal is restricted to only the content in the configured base resource directories.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 06/01/2020
The vulnerability identified as CVE-2019-10246 affects Eclipse Jetty servers running on Windows operating systems, specifically versions 9.2.27, 9.3.26, and 9.4.16. This security flaw represents a directory traversal information disclosure issue that occurs when the server is configured to display directory listings. The vulnerability stems from improper handling of directory listing requests on Windows platforms, where the server inadvertently exposes the complete absolute path of the base resource directory to remote clients. This exposure occurs specifically when directory listing functionality is enabled and the server is operating on a Windows environment, making it a platform-specific vulnerability that does not affect Unix-based systems.
The technical implementation of this vulnerability involves the server's response to directory listing requests in Windows environments. When a client requests to view the contents of a directory that is configured as a base resource, the server's response includes the fully qualified path information in its output. This happens because Jetty's directory listing mechanism on Windows platforms does not properly sanitize or obfuscate the absolute path information before returning it to the client. The vulnerability is classified under CWE-200, which deals with Information Exposure, and specifically relates to the disclosure of information that should remain hidden or restricted to authorized users only. The affected configuration requires the server to be running on Windows with directory listing enabled, creating a scenario where remote attackers can gather sensitive path information that could aid in further exploitation attempts.
The operational impact of this vulnerability extends beyond simple information disclosure, as it provides attackers with critical path information that could be used in subsequent attacks. The exposed directory paths reveal the complete absolute paths on the server filesystem, which could help attackers understand the server's directory structure and potentially identify other sensitive locations. This information disclosure could facilitate more sophisticated attacks such as path traversal exploitation, where an attacker might use the exposed paths to map the server's filesystem structure and locate sensitive files or directories. The vulnerability is particularly concerning in environments where the base resource directory contains sensitive data or where the directory structure might reveal information about the application's deployment or configuration. According to ATT&CK framework, this vulnerability maps to T1083 (File and Directory Discovery) as it enables adversaries to discover and map the file system structure of the affected server.
Mitigation strategies for CVE-2019-10246 focus on both immediate configuration changes and long-term security improvements. The most direct approach involves disabling directory listing functionality on Windows-based Jetty servers when it is not strictly required for operations. Administrators should review their server configurations and ensure that directory listing is only enabled in controlled environments where the risk is properly mitigated. Upgrading to newer versions of Eclipse Jetty that have addressed this specific vulnerability represents the most effective long-term solution, as newer releases include proper path sanitization for Windows platforms. Additionally, implementing network-level controls such as firewall rules that restrict access to directory listing endpoints can provide an additional layer of protection. Organizations should also consider implementing proper access controls and authentication mechanisms to ensure that even if path information is exposed, unauthorized users cannot access the underlying resources. The vulnerability highlights the importance of platform-specific security considerations in web server configurations and underscores the need for comprehensive security testing across different operating environments.