CVE-2019-17632

In Eclipse Jetty versions 9.4.21.v20190926, 9.4.22.v20191022, and 9.4.23.v20191118, the generation of default unhandled Error response content (in text/html and text/json Content-Type) does not escape Exception messages in stacktraces included in error output.
Cross-site Scripting
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
6.1 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
eclipseCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 79%
VendorProductVersion
eclipsejetty
9.4.21:20190926
eclipsejetty
9.4.22:20191022
eclipsejetty
9.4.23:20191118
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
jetty9
bullseye (security)
9.4.50-4+deb11u2
fixed
bullseye
9.4.50-4+deb11u2
fixed
buster
not-affected
stretch
not-affected
jessie
not-affected
bookworm
9.4.50-4+deb12u3
fixed
bookworm (security)
9.4.50-4+deb12u3
fixed
sid
9.4.56-1
fixed
trixie
9.4.56-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
jetty
noble
dne
mantic
dne
lunar
dne
kinetic
dne
jammy
dne
impish
dne
hirsute
dne
groovy
dne
focal
dne
eoan
dne
disco
dne
bionic
dne
xenial
needs-triage
trusty
needs-triage
jetty8
noble
dne
mantic
dne
lunar
dne
kinetic
dne
jammy
dne
impish
dne
hirsute
dne
groovy
dne
focal
dne
eoan
dne
disco
dne
bionic
dne
xenial
needs-triage
trusty
needs-triage
jetty9
noble
needs-triage
mantic
ignored
lunar
ignored
kinetic
ignored
jammy
needs-triage
impish
ignored
hirsute
ignored
groovy
ignored
focal
not-affected
eoan
ignored
disco
ignored
bionic
needs-triage
xenial
needs-triage
trusty
dne
Common Weakness Enumeration
References
https://bugs.eclipse.org/bugs/show_bug.cgi?id=553443
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SAITZ27GKPD2CCNHGT2VBT4VWIBUJJNS/
https://www.oracle.com/security-alerts/cpuApr2021.html
https://www.oracle.com/security-alerts/cpuoct2020.html
https://bugs.eclipse.org/bugs/show_bug.cgi?id=553443
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SAITZ27GKPD2CCNHGT2VBT4VWIBUJJNS/
https://www.oracle.com/security-alerts/cpuApr2021.html
https://www.oracle.com/security-alerts/cpuoct2020.html