CVE-2019-17632
Description
In Eclipse Jetty versions 9.4.21.v20190926, 9.4.22.v20191022, and 9.4.23.v20191118, the generation of default unhandled Error response content (in text/html and text/json Content-Type) does not escape Exception messages in stacktraces included in error output.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Eclipse Jetty 9.4.21-9.4.23 ErrorHandler does not escape exception messages in stacktraces, leading to potential XSS attacks.
Vulnerability
In Eclipse Jetty versions 9.4.21.v20190926, 9.4.22.v20191022, and 9.4.23.v20191118, the default ErrorHandler generates error responses in text/html and text/json content types without escaping exception messages in the included stacktraces [1][2]. This oversight allows malicious exception messages to be injected directly into the response.
Exploitation
An attacker can exploit this by submitting a request that triggers an exception containing a crafted payload, such as JavaScript code. When the error response is rendered in a browser, the unescaped payload executes, enabling cross-site scripting (XSS) attacks. No authentication is required, as Jetty's default error handling applies to unhandled exceptions from any request [2].
Impact
Successful exploitation allows an attacker to execute arbitrary scripts in the context of the user's browser session, potentially leading to data theft, session hijacking, or other malicious actions. This vulnerability has been assigned a CVSS score of 6.1 (Medium) [1].
Mitigation
The issue is fixed in Jetty version 9.4.24.v20191120 [2]. As a workaround, administrators can disable stacktraces in the ErrorHandler by setting showStacks to false at the Server or WebAppContext level [2].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.eclipse.jetty:jetty-serverMaven | >= 9.4.21.v20190926, < 9.4.24.v20191120 | 9.4.24.v20191120 |
org.eclipse.jetty:jetty-serverMaven | >= 9.4.22.v20191022, < 9.4.24.v20191120 | 9.4.24.v20191120 |
org.eclipse.jetty:jetty-serverMaven | >= 9.4.23.v20191118, < 9.4.24.v20191120 | 9.4.24.v20191120 |
Affected products
2- The Eclipse Foundation/Eclipse Jettyv5Range: 9.4.21.v20190926
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- github.com/advisories/GHSA-5h9j-q6j2-253fghsaADVISORY
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SAITZ27GKPD2CCNHGT2VBT4VWIBUJJNS/mitrevendor-advisoryx_refsource_FEDORA
- nvd.nist.gov/vuln/detail/CVE-2019-17632ghsaADVISORY
- bugs.eclipse.org/bugs/show_bug.cgighsax_refsource_CONFIRMWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SAITZ27GKPD2CCNHGT2VBT4VWIBUJJNSghsaWEB
- www.oracle.com/security-alerts/cpuApr2021.htmlghsax_refsource_MISCWEB
- www.oracle.com/security-alerts/cpuoct2020.htmlghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.