Hello! Greetings from the team at Webtide. We wanted to make you aware of a vulnerability that was recently discovered in Jetty and reported as CVE-2019-10241, CVE-2019-10246 and CVE-2019-10247.
If you are using *DefaultServlet* or *ResourceHandler* with indexing/listing, then you are vulnerable to a variant of XSS behaviors surrounding the use of injected HTML element attributes on the parent directory link. We recommend disabling indexing/listing or upgrading to a non-vulnerable version. We have put together a blog post that contains more information on how to disable indexing/listing, which can be found on the Webtide website. - https://webtide.com/indexing-listing-vulnerability/ Additionally, we discovered that usages of *DefaultHandler* were susceptible to a similar leak of information. If no webapp was mounted on the root "*/"* namespace, a page would be generated with links to other namespaces. This has been the default behavior in Jetty for years, but we have removed this to safeguard data. As a result of these CVEs, we have released new versions for the 9.2.x, 9.3.x, and 9.4.x branches. The most up-to-date versions of all three are as follows, and are available both on the Jetty website and Maven Central. Versions affected: - 9.2.26 and older (now EOL) - 9.3.25 and older - 9.4.15 and older Resolved: - 9.2.28.v20190418 - 9.3.27.v20190418 - 9.4.17.v20190418 Best Regards, The Webtide Team
_______________________________________________ jetty-users mailing list [email protected] To change your delivery options, retrieve your password, or unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/jetty-users
