Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
5
CVSSv2

CVE-2018-12536

Published: 27/06/2018 Updated: 07/11/2023
CVSS v2 Base Score: 5 | Impact Score: 2.9 | Exploitability Score: 10
CVSS v3 Base Score: 5.3 | Impact Score: 1.4 | Exploitability Score: 3.9
VMScore: 445
Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N
Subscribe to Jetty

Vulnerability Summary

In Eclipse Jetty Server, all 9.x versions, on webapps deployed using default Error Handling, when an intentionally bad query arrives that doesn't match a dynamic url-pattern, and is eventually handled by the DefaultServlet's static file serving, the bad characters can trigger a java.nio.file.InvalidPathException which includes the full path to the base resource directory that the DefaultServlet and/or webapp is using. If this InvalidPathException is then handled by the default Error Handler, the InvalidPathException message is included in the error response, revealing the full server path to the requesting system.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

eclipse jetty

oracle retail xstore point of service 15.0

oracle retail xstore point of service 16.0.0

oracle retail xstore point of service 7.1

oracle retail xstore point of service 17.0

Vendor Advisories

Debian CVElist Bug Report Logs: jetty9: CVE-2018-12536
Debian Bug report logs - #902774 jetty9: CVE-2018-12536 Package: jetty9; Maintainer for jetty9 is Debian Java Maintainers <pkg-java-maintainers@listsaliothdebianorg>; Source for jetty9 is src:jetty9 (PTS, buildd, popcon) Reported by: Markus Koschany <apo@debianorg> Date: Sat, 30 Jun 2018 18:45:04 UTC Severity: g ...
Debian CVElist Bug Report Logs: jetty9: CVE-2017-7656 CVE-2017-7657 CVE-2017-7658
Debian Bug report logs - #902953 jetty9: CVE-2017-7656 CVE-2017-7657 CVE-2017-7658 Package: jetty9; Maintainer for jetty9 is Debian Java Maintainers <pkg-java-maintainers@listsaliothdebianorg>; Source for jetty9 is src:jetty9 (PTS, buildd, popcon) Reported by: Markus Koschany <apo@debianorg> Date: Sat, 30 Jun 201 ...
Red Hat: CVE-2018-12536
In Eclipse Jetty Server, all 9x versions, on webapps deployed using default Error Handling, when an intentionally bad query arrives that doesn't match a dynamic url-pattern, and is eventually handled by the DefaultServlet's static file serving, the bad characters can trigger a javaniofileInvalidPathException which includes the full path to the ...

References

NVD-CWE-noinfohttps://bugs.eclipse.org/bugs/show_bug.cgi?id=535670http://www.securitytracker.com/id/1041194https://security.netapp.com/advisory/ntap-20181014-0001/https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbst03953en_ushttps://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.htmlhttps://www.oracle.com/security-alerts/cpuoct2020.htmlhttps://lists.debian.org/debian-lts-announce/2021/05/msg00016.htmlhttps://lists.apache.org/thread.html/053d9ce4d579b02203db18545fee5e33f35f2932885459b74d1e4272%40%3Cissues.activemq.apache.org%3Ehttps://nvd.nist.govhttps://bugs.debian.org/cgi-bin/bugreport.cgi?bug=902774https://access.redhat.com/security/cve/cve-2018-12536
CVSSv2
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2024-27977IMAPlocal usersCVE-2024-32038CVE-2023-49963CVE-2023-22869CVE-2024-31497localCVE-2024-2961
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook