Re: [jetty-users] Indexing/Listing Vulnerability in Jetty

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

Re: [jetty-users] Indexing/Listing Vulnerability in Jetty

From: <steve@xxxxxxxxxxxxxxxx>
Date: Mon, 22 Apr 2019 14:11:27 -0700
Delivered-to: jetty-users@xxxxxxxxxxx
List-archive: <https://www.eclipse.org/mailman/private/jetty-users>
List-help: <mailto:jetty-users-request@eclipse.org?subject=help>
List-subscribe: <https://www.eclipse.org/mailman/listinfo/jetty-users>, <mailto:jetty-users-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://www.eclipse.org/mailman/options/jetty-users>, <mailto:jetty-users-request@eclipse.org?subject=unsubscribe>
Thread-index: AQLMQpEL9utWJliVsJjbg5xedV4ixqRaGmFQ

Thank you for all of your excellent work over the years.

I am using a customized, embedded version of Jetty (which is an OSS project that I hope to publicly launch soon!) that does not use either one. I’m ok, right? (Although it would not be a big deal to upgrade to the latest Jetty, so maybe I should upgrade anyhow.)

Thanks

--Steve

From: jetty-users-bounces@xxxxxxxxxxx <jetty-users-bounces@xxxxxxxxxxx> On Behalf Of Chris Walker
Sent: Monday, April 22, 2019 11:32
To: JETTY user mailing list <jetty-users@xxxxxxxxxxx>; Jetty @ Eclipse developer discussion list <jetty-dev@xxxxxxxxxxx>; jetty-announce@xxxxxxxxxxx
Subject: [jetty-users] Indexing/Listing Vulnerability in Jetty

Hello!

Greetings from the team at Webtide. We wanted to make you aware of a vulnerability that was recently discovered in Jetty and reported as CVE-2019-10241, CVE-2019-10246 and CVE-2019-10247.

If you are using DefaultServlet or ResourceHandler with indexing/listing, then you are vulnerable to a variant of XSS behaviors surrounding the use of injected HTML element attributes on the parent directory link. We recommend disabling indexing/listing or upgrading to a non-vulnerable version.

We have put together a blog post that contains more information on how to disable indexing/listing, which can be found on the Webtide website.

https://webtide.com/indexing-listing-vulnerability/

Additionally, we discovered that usages of DefaultHandler were susceptible to a similar leak of information. If no webapp was mounted on the root "/" namespace, a page would be generated with links to other namespaces. This has been the default behavior in Jetty for years, but we have removed this to safeguard data.

As a result of these CVEs, we have released new versions for the 9.2.x, 9.3.x, and 9.4.x branches. The most up-to-date versions of all three are as follows, and are available both on the Jetty website and Maven Central.

Versions affected:

9.2.26 and older (now EOL)
9.3.25 and older
9.4.15 and older

Resolved:

9.2.28.v20190418
9.3.27.v20190418
9.4.17.v20190418

Best Regards,
The Webtide Team

Follow-Ups:
- Re: [jetty-users] Indexing/Listing Vulnerability in Jetty
  - From: Joakim Erdfelt

References:
- [jetty-users] Indexing/Listing Vulnerability in Jetty
  - From: Chris Walker

Prev by Date: [jetty-users] Indexing/Listing Vulnerability in Jetty
Next by Date: Re: [jetty-users] Indexing/Listing Vulnerability in Jetty
Previous by thread: [jetty-users] Indexing/Listing Vulnerability in Jetty
Next by thread: Re: [jetty-users] Indexing/Listing Vulnerability in Jetty
Index(es):
- Date
- Thread

Breadcrumbs