CVE-2019-10247
Description
In Eclipse Jetty version 7.x, 8.x, 9.2.27 and older, 9.3.26 and older, and 9.4.16 and older, the server running on any OS and Jetty version combination will reveal the configured fully qualified directory base resource location on the output of the 404 error for not finding a Context that matches the requested path. The default server behavior on jetty-distribution and jetty-home will include at the end of the Handler tree a DefaultHandler, which is responsible for reporting this 404 error, it presents the various configured contexts as HTML for users to click through to. This produced HTML includes output that contains the configured fully qualified directory base resource location for each context.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Eclipse Jetty versions 7.x-9.4.16 reveal the configured absolute directory base path of each context in HTML output of 404 error pages via the DefaultHandler.
Eclipse Jetty versions 7.x, 8.x, 9.2.27 and older, 9.3.26 and older, and 9.4.16 and older suffer from an information disclosure vulnerability in the DefaultHandler. When no Context matches the requested path, the Jetty server returns a 404 error page that includes an HTML list of all configured contexts, displaying the fully qualified directory base resource location for each context [1][2]. The affected handler is part of the default handler tree in both jetty-distribution and jetty-home distributions.
The vulnerability is exploitable without authentication; simply requesting an invalid path on a running Jetty instance triggers the default 404 page. The attack surface includes any Jetty server exposing these endpoints, requiring only network access to the server's HTTP port. No special privileges or user interaction are needed [1][2].
An attacker who observes the 404 error page can learn the absolute filesystem paths for each deployed web application context. This leaked information aids in mapping the server's directory structure, potentially facilitating further attacks such as path traversal or targeted file access. The disclosure is limited to directory paths and does not directly expose file contents or credentials [2].
The issue was fixed in Jetty versions 9.2.28, 9.3.27, 9.4.17, and later releases. Users should upgrade to these or newer versions. For environments where upgrading is not immediately possible, administrators can consider customizing the 404 error handler to suppress context path details [2]. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog as of this writing.
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.eclipse.jetty:jetty-serverMaven | >= 7.0.0, < 9.2.28.v20190418 | 9.2.28.v20190418 |
org.eclipse.jetty:jetty-serverMaven | >= 9.3.0, < 9.3.27.v20190418 | 9.3.27.v20190418 |
org.eclipse.jetty:jetty-serverMaven | >= 9.4.0, < 9.4.17.v20190418 | 9.4.17.v20190418 |
Affected products
2- The Eclipse Foundation/Eclipse Jettyv5Range: 7.x
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
27- github.com/advisories/GHSA-xc67-hjx6-cgg6ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-10247ghsaADVISORY
- www.debian.org/security/2021/dsa-4949ghsavendor-advisoryx_refsource_DEBIANWEB
- bugs.eclipse.org/bugs/show_bug.cgighsax_refsource_CONFIRMWEB
- lists.apache.org/thread.html/053d9ce4d579b02203db18545fee5e33f35f2932885459b74d1e4272%40%3Cissues.activemq.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/053d9ce4d579b02203db18545fee5e33f35f2932885459b74d1e4272@%3Cissues.activemq.apache.org%3EghsaWEB
- lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3EghsaWEB
- lists.apache.org/thread.html/ac51944aef91dd5006b8510b0bef337adaccfe962fb90e7af9c22db4%40%3Cissues.activemq.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/ac51944aef91dd5006b8510b0bef337adaccfe962fb90e7af9c22db4@%3Cissues.activemq.apache.org%3EghsaWEB
- lists.apache.org/thread.html/bcce5a9c532b386c68dab2f6b3ce8b0cc9b950ec551766e76391caa3%40%3Ccommits.nifi.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/bcce5a9c532b386c68dab2f6b3ce8b0cc9b950ec551766e76391caa3@%3Ccommits.nifi.apache.org%3EghsaWEB
- lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3Cissues.drill.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3EghsaWEB
- lists.apache.org/thread.html/rca37935d661f4689cb4119f1b3b224413b22be161b678e6e6ce0c69b%40%3Ccommits.nifi.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/rca37935d661f4689cb4119f1b3b224413b22be161b678e6e6ce0c69b@%3Ccommits.nifi.apache.org%3EghsaWEB
- lists.debian.org/debian-lts-announce/2021/05/msg00016.htmlghsamailing-listx_refsource_MLISTWEB
- security.netapp.com/advisory/ntap-20190509-0003ghsaWEB
- security.netapp.com/advisory/ntap-20190509-0003/mitrex_refsource_CONFIRM
- www.oracle.com/security-alerts/cpuApr2021.htmlghsax_refsource_MISCWEB
- www.oracle.com/security-alerts/cpuapr2020.htmlghsax_refsource_MISCWEB
- www.oracle.com/security-alerts/cpuapr2022.htmlghsax_refsource_MISCWEB
- www.oracle.com/security-alerts/cpujan2020.htmlghsax_refsource_MISCWEB
- www.oracle.com/security-alerts/cpujan2021.htmlghsax_refsource_MISCWEB
- www.oracle.com/security-alerts/cpujul2020.htmlghsax_refsource_MISCWEB
- www.oracle.com/security-alerts/cpuoct2020.htmlghsax_refsource_MISCWEB
- www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.htmlghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.