CVE-2019-10241
Description
In Eclipse Jetty version 9.2.26 and older, 9.3.25 and older, and 9.4.15 and older, the server is vulnerable to XSS conditions if a remote client USES a specially formatted URL against the DefaultServlet or ResourceHandler that is configured for showing a Listing of directory contents.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Eclipse Jetty versions prior to 9.2.27, 9.3.26, and 9.4.16 have an XSS vulnerability when directory listing is enabled via DefaultServlet or ResourceHandler.
The vulnerability exists in the DefaultServlet and ResourceHandler components of Eclipse Jetty, which are used to serve static content and can be configured to display directory listings. When directory listing is enabled, a specially crafted URL can inject arbitrary HTML or JavaScript into the listing page, leading to cross-site scripting (XSS) [1]. The root cause is insufficient sanitization of user-supplied input in the URL path when generating the directory listing response.
An attacker can exploit this by sending a crafted request to a Jetty server where the directory listing feature is active. No authentication is required, and the attacker only needs network access to the server. The malicious URL contains HTML or script code that gets reflected in the listing page, allowing the attacker to execute scripts in the context of the victim's browser session.
Successful exploitation allows an attacker to steal cookies, session tokens, or other sensitive information, or perform actions on behalf of the victim. The impact is limited to the browser session of users viewing the directory listing, but can lead to credential theft or other client-side attacks.
Jetty versions 9.2.27, 9.3.26, and 9.4.16 contain the fix. Users should upgrade to these or later versions. No workaround is available if directory listing is required; however, disabling directory listing mitigates the vulnerability [2].
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.eclipse.jetty:jetty-serverMaven | < 9.2.27.v20190403 | 9.2.27.v20190403 |
org.eclipse.jetty:jetty-serverMaven | >= 9.3.0, < 9.3.26.v20190403 | 9.3.26.v20190403 |
org.eclipse.jetty:jetty-serverMaven | >= 9.4.0, < 9.4.16.v20190411 | 9.4.16.v20190411 |
Affected products
2- The Eclipse Foundation/Eclipse Jettyv5Range: unspecified
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
27- github.com/advisories/GHSA-7vx9-xjhr-rw6hghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-10241ghsaADVISORY
- www.debian.org/security/2021/dsa-4949ghsavendor-advisoryx_refsource_DEBIANWEB
- bugs.eclipse.org/bugs/show_bug.cgighsax_refsource_CONFIRMWEB
- lists.apache.org/thread.html/01e004c3f7c7365863a27e7038b7f32dae56ccf3a496b277c9b7f7b6%40%3Cjira.kafka.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/01e004c3f7c7365863a27e7038b7f32dae56ccf3a496b277c9b7f7b6@%3Cjira.kafka.apache.org%3EghsaWEB
- lists.apache.org/thread.html/053d9ce4d579b02203db18545fee5e33f35f2932885459b74d1e4272%40%3Cissues.activemq.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/053d9ce4d579b02203db18545fee5e33f35f2932885459b74d1e4272@%3Cissues.activemq.apache.org%3EghsaWEB
- lists.apache.org/thread.html/464892b514c029dfc0c8656a93e1c0de983c473df70fdadbd224e09f%40%3Cjira.kafka.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/464892b514c029dfc0c8656a93e1c0de983c473df70fdadbd224e09f@%3Cjira.kafka.apache.org%3EghsaWEB
- lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3EghsaWEB
- lists.apache.org/thread.html/8bff534863c7aaf09bb17c3d0532777258dd3a5c7ddda34198cc2742%40%3Cdev.kafka.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/8bff534863c7aaf09bb17c3d0532777258dd3a5c7ddda34198cc2742@%3Cdev.kafka.apache.org%3EghsaWEB
- lists.apache.org/thread.html/ac51944aef91dd5006b8510b0bef337adaccfe962fb90e7af9c22db4%40%3Cissues.activemq.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/ac51944aef91dd5006b8510b0bef337adaccfe962fb90e7af9c22db4@%3Cissues.activemq.apache.org%3EghsaWEB
- lists.apache.org/thread.html/bcfb37bfba7b3d7e9c7808b5e5a38a98d6bb714d52cf5162bdd48e32%40%3Cjira.kafka.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/bcfb37bfba7b3d7e9c7808b5e5a38a98d6bb714d52cf5162bdd48e32@%3Cjira.kafka.apache.org%3EghsaWEB
- lists.apache.org/thread.html/d7c4a664a34853f57c2163ab562f39802df5cf809523ea40c97289c1%40%3Cdev.kafka.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/d7c4a664a34853f57c2163ab562f39802df5cf809523ea40c97289c1@%3Cdev.kafka.apache.org%3EghsaWEB
- lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3Cissues.drill.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3EghsaWEB
- lists.debian.org/debian-lts-announce/2021/05/msg00016.htmlghsamailing-listx_refsource_MLISTWEB
- security.netapp.com/advisory/ntap-20190509-0003ghsaWEB
- security.netapp.com/advisory/ntap-20190509-0003/mitrex_refsource_CONFIRM
- www.oracle.com/security-alerts/cpuoct2020.htmlghsax_refsource_MISCWEB
- www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.htmlghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.