CVE-2018-12536
Description
In Eclipse Jetty Server, all 9.x versions, on webapps deployed using default Error Handling, when an intentionally bad query arrives that doesn't match a dynamic url-pattern, and is eventually handled by the DefaultServlet's static file serving, the bad characters can trigger a java.nio.file.InvalidPathException which includes the full path to the base resource directory that the DefaultServlet and/or webapp is using. If this InvalidPathException is then handled by the default Error Handler, the InvalidPathException message is included in the error response, revealing the full server path to the requesting system.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A specially crafted HTTP query to Eclipse Jetty's DefaultServlet triggers an InvalidPathException that discloses the full server path in the error response.
Vulnerability
In Eclipse Jetty versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (all configurations), web applications deployed with the default error handling mechanism are vulnerable to an information disclosure issue. When a crafted HTTP query with malformed characters that does not match any servlet’s dynamic URL pattern is processed by the static file serving DefaultServlet, it causes a java.nio.file.InvalidPathException whose message includes the full filesystem path to the base resource directory used by the DefaultServlet or webapp [1][2].
Exploitation
An attacker requires no authentication and only needs network access to a vulnerable Jetty instance. The attacker sends an HTTP request with an intentionally malformed query string (e.g., containing non-printable or illegal characters) that fails to match any dynamic URL pattern. The request is eventually handled by the DefaultServlet for static file serving, where the malformed path triggers the InvalidPathException. This exception is then caught and processed by the default error handler, which includes the exception’s message (containing the full server path) in the HTTP error response [2].
Impact
A successful exploitation results in the disclosure of the full server filesystem path of the base resource directory used by the DefaultServlet or the deployed web application. This path disclosure aids an attacker in performing further reconnaissance and potentially chaining with other attacks, such as path traversal or local file inclusion [2][3]. No other direct impact on confidentiality, integrity, or availability has been reported from this specific flaw.
Mitigation
The vulnerability is fixed in Jetty versions 9.3.24.v20180605 and 9.4.11.v20180605 [2]. For version 9.2.x and older (which are end-of-life), no patch is provided and users are strongly advised to upgrade to a supported release. A workaround for versions that cannot be immediately patched is to avoid using the default error handler by implementing a custom error handler that does not expose the InvalidPathException or the underlying stack trace [1][2].
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.eclipse.jetty:jetty-serverMaven | >= 9.4.0, < 9.4.11.v20180605 | 9.4.11.v20180605 |
org.eclipse.jetty:jetty-serverMaven | >= 9.0.0, < 9.3.24.v20180605 | 9.3.24.v20180605 |
Affected products
2- The Eclipse Foundation/Eclipse Jettyv5Range: unspecified
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
13- github.com/advisories/GHSA-9rgv-h7x4-qw8gghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2018-12536ghsaADVISORY
- www.securitytracker.com/id/1041194mitrevdb-entryx_refsource_SECTRACK
- bugs.eclipse.org/bugs/show_bug.cgighsax_refsource_CONFIRMWEB
- lists.apache.org/thread.html/053d9ce4d579b02203db18545fee5e33f35f2932885459b74d1e4272%40%3Cissues.activemq.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/053d9ce4d579b02203db18545fee5e33f35f2932885459b74d1e4272@%3Cissues.activemq.apache.org%3EghsaWEB
- lists.debian.org/debian-lts-announce/2021/05/msg00016.htmlghsamailing-listx_refsource_MLISTWEB
- security.netapp.com/advisory/ntap-20181014-0001ghsaWEB
- security.netapp.com/advisory/ntap-20181014-0001/mitrex_refsource_CONFIRM
- support.hpe.com/hpsc/doc/public/displayghsax_refsource_CONFIRMWEB
- web.archive.org/web/20200516001904/http://www.securitytracker.com/id/1041194ghsaWEB
- www.oracle.com/security-alerts/cpuoct2020.htmlghsax_refsource_MISCWEB
- www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.htmlghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.