CVE-2019-10246
Description
In Eclipse Jetty version 9.2.27, 9.3.26, and 9.4.16, the server running on Windows is vulnerable to exposure of the fully qualified Base Resource directory name on Windows to a remote client when it is configured for showing a Listing of directory contents. This information reveal is restricted to only the content in the configured base resource directories.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Eclipse Jetty on Windows exposes full base resource directory path in directory listings, affecting versions 9.2.27, 9.3.26, 9.4.16.
The vulnerability lies in Eclipse Jetty's DefaultServlet and ResourceHandler when configured to show directory listings on Windows. The server leaks the fully qualified Base Resource directory name in the HTML output of directory listings [1][2]. For example, if the base resource is C:\applications\appname\webapps\private.war, that exact path is revealed to the client.
Exploitation requires the server to be running on Windows with directory listing enabled. A remote attacker can trigger this by requesting a directory that has listing enabled; no authentication is necessary. The attack surface is limited to the configured base resource directories, but the path exposure can aid in further attacks [2].
The impact is information disclosure: the attacker learns the full filesystem path of the base resource, which may reveal application structure or sensitive deployment details. This is classified as CWE-213 (Exposure of Sensitive Information Due to Incompatible Policies) [2].
Mitigation is available by upgrading to Jetty versions 9.2.28.v20190418, 9.3.27.v20190418, or 9.4.17.v20190418, which fix the disclosure [2]. Users on Windows should apply the update promptly, and those who cannot upgrade should consider disabling directory listings if not needed.
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.eclipse.jetty:jetty-serverMaven | >= 9.2.0, < 9.2.28.v20190418 | 9.2.28.v20190418 |
org.eclipse.jetty:jetty-serverMaven | >= 9.3.0, < 9.3.27.v20190418 | 9.3.27.v20190418 |
org.eclipse.jetty:jetty-serverMaven | >= 9.4.0, < 9.4.17.v20190418 | 9.4.17.v20190418 |
Affected products
2- The Eclipse Foundation/Eclipse Jettyv5Range: 9.2.27
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
16- github.com/advisories/GHSA-r28m-g6j9-r2h5ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-10246ghsaADVISORY
- bugs.eclipse.org/bugs/show_bug.cgighsax_refsource_CONFIRMWEB
- lists.apache.org/thread.html/bcce5a9c532b386c68dab2f6b3ce8b0cc9b950ec551766e76391caa3%40%3Ccommits.nifi.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/bcce5a9c532b386c68dab2f6b3ce8b0cc9b950ec551766e76391caa3@%3Ccommits.nifi.apache.org%3EghsaWEB
- lists.apache.org/thread.html/rca37935d661f4689cb4119f1b3b224413b22be161b678e6e6ce0c69b%40%3Ccommits.nifi.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/rca37935d661f4689cb4119f1b3b224413b22be161b678e6e6ce0c69b@%3Ccommits.nifi.apache.org%3EghsaWEB
- security.netapp.com/advisory/ntap-20190509-0003ghsaWEB
- security.netapp.com/advisory/ntap-20190509-0003/mitrex_refsource_CONFIRM
- www.oracle.com/security-alerts/cpuApr2021.htmlghsax_refsource_MISCWEB
- www.oracle.com/security-alerts/cpuapr2020.htmlghsax_refsource_MISCWEB
- www.oracle.com/security-alerts/cpujan2020.htmlghsax_refsource_MISCWEB
- www.oracle.com/security-alerts/cpujan2021.htmlghsax_refsource_MISCWEB
- www.oracle.com/security-alerts/cpujul2020.htmlghsax_refsource_MISCWEB
- www.oracle.com/security-alerts/cpuoct2020.htmlghsax_refsource_MISCWEB
- www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.htmlghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.