CVE-2019-10241

In Eclipse Jetty version 9.2.26 and older, 9.3.25 and older, and 9.4.15 and older, the server is vulnerable to XSS conditions if a remote client USES a specially formatted URL against the DefaultServlet or ResourceHandler that is configured for showing a Listing of directory contents.

Published: 2019-04-22 Last update: 2024-11-21 Assigner: [email protected] Source: [email protected]
NVD Status:ModifiedCVE State: published
View at NVD, CVE.org, EUVD

CVE-2019-10241 is rated Moderate Risk (56.8/100): CVSS Medium severity, with high exploitation likelihood (EPSS 9.59%, 95th percentile). EPSS ranks this CVE among the most likely to be exploited in the near term. High exploitation likelihood—assess exposure and prioritize remediation.

Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.

Exploit prediction scoring system (EPSS) score for CVE-2019-10241

EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).

# Date Old EPSS score New EPSS score Delta (New - Old)
1 2026-06-15 10.41% 9.59% -0.82%
2 2026-06-04 9.69% 10.41% +0.72%
3 2026-03-04 9.69%

Full EPSS history (55 records total)

Common vulnerability scoring system (CVSS) metrics for CVE-2019-10241

CVSS metrics for this CVE.

Base score Version Severity Vector Exploitability Impact Score source
6.1 3.1 MEDIUM
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Click to expand
Attack vector (AV:N)
Could be attacked over the internet or any normal routed network—not just someone sitting at the machine.
Attack complexity (AC:L)
Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup.
Privileges required (PR:N)
No account or special rights needed—anonymous or random user is enough.
User interaction (UI:R)
A real person has to do something—click, install, enable—otherwise it doesn’t land.
Scope (S:C)
Breaking this can reach past the original component and bite other resources—bigger blast radius.
Confidentiality (C:L)
Some sensitive info could get out, but not a total data dump.
Integrity (I:L)
Attackers could change some data, but it’s limited—not everything goes.
Availability (A:N)
Service keeps running; no real outage angle.
 2.8 2.7 [email protected]
4.3 2.0 MEDIUM
AV:N/AC:M/Au:N/C:N/I:P/A:N Click to expand
Access vector (AV:N)
Can be exploited remotely over network reachability.
Access complexity (AC:M)
Exploitation needs some favorable conditions, but not exceptional ones.
Authentication (AU:N)
No authentication is required.
Confidentiality impact (C:N)
No confidentiality impact.
Integrity impact (I:P)
Partial integrity impact.
Availability impact (A:N)
No availability impact.
 8.6 2.9 [email protected]

Weakness enumeration for CVE-2019-10241

GitHub Security Advisory for CVE-2019-10241

GHSA-7vx9-xjhr-rw6h · Severity: medium · Ecosystem: maven — Cross-site Scripting in Eclipse Jetty

OS Trackers for CVE-2019-10241

vendor priority summary link
debian not yet assigned CVE-2019-10241 not yet assigned priority: Debian including 1 source packages (jetty9), 5 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 5. https://security-tracker.debian.org/tracker/CVE-2019-10241
redhat medium https://access.redhat.com/security/cve/CVE-2019-10241
ubuntu low CVE-2019-10241 low priority: Ubuntu including 3 source packages (jetty, jetty8, jetty9), 57 status rows across 19 suites (bionic, cosmic, disco, eoan, focal, groovy, hirsute, impish, jammy, kinetic, lunar, mantic, noble, oracular, plucky, questing, trusty, upstream, xenial): DNE 33, not-affected 14, needed 4, needs-triage 3, ignored 2, released 1. https://ubuntu.com/security/CVE-2019-10241

Affected software / configurations for CVE-2019-10241

Vendor Product Version Raw CPE
eclipse jetty 9.2.0 cpe:2.3:a:eclipse:jetty:9.2.0:20140523:*:*:*:*:*:*
eclipse jetty 9.2.0 cpe:2.3:a:eclipse:jetty:9.2.0:20140526:*:*:*:*:*:*
eclipse jetty 9.2.0 cpe:2.3:a:eclipse:jetty:9.2.0:maintenance_0:*:*:*:*:*:*
eclipse jetty 9.2.0 cpe:2.3:a:eclipse:jetty:9.2.0:maintenance_1:*:*:*:*:*:*
eclipse jetty 9.2.0 cpe:2.3:a:eclipse:jetty:9.2.0:rc0:*:*:*:*:*:*
eclipse jetty 9.2.1 cpe:2.3:a:eclipse:jetty:9.2.1:20140609:*:*:*:*:*:*
eclipse jetty 9.2.2 cpe:2.3:a:eclipse:jetty:9.2.2:20140723:*:*:*:*:*:*
eclipse jetty 9.2.3 cpe:2.3:a:eclipse:jetty:9.2.3:20140905:*:*:*:*:*:*
eclipse jetty 9.2.4 cpe:2.3:a:eclipse:jetty:9.2.4:20141103:*:*:*:*:*:*
eclipse jetty 9.2.5 cpe:2.3:a:eclipse:jetty:9.2.5:20141112:*:*:*:*:*:*
eclipse jetty 9.2.6 cpe:2.3:a:eclipse:jetty:9.2.6:20141203:*:*:*:*:*:*
eclipse jetty 9.2.6 cpe:2.3:a:eclipse:jetty:9.2.6:20141205:*:*:*:*:*:*
eclipse jetty 9.2.7 cpe:2.3:a:eclipse:jetty:9.2.7:20150116:*:*:*:*:*:*
eclipse jetty 9.2.8 cpe:2.3:a:eclipse:jetty:9.2.8:20150217:*:*:*:*:*:*
eclipse jetty 9.2.9 cpe:2.3:a:eclipse:jetty:9.2.9:20150224:*:*:*:*:*:*
eclipse jetty 9.2.10 cpe:2.3:a:eclipse:jetty:9.2.10:20150310:*:*:*:*:*:*
eclipse jetty 9.2.11 cpe:2.3:a:eclipse:jetty:9.2.11:20150528:*:*:*:*:*:*
eclipse jetty 9.2.11 cpe:2.3:a:eclipse:jetty:9.2.11:20150529:*:*:*:*:*:*
eclipse jetty 9.2.11 cpe:2.3:a:eclipse:jetty:9.2.11:maintenance_0:*:*:*:*:*:*
eclipse jetty 9.2.12 cpe:2.3:a:eclipse:jetty:9.2.12:20150709:*:*:*:*:*:*
eclipse jetty 9.2.12 cpe:2.3:a:eclipse:jetty:9.2.12:maintenance_0:*:*:*:*:*:*
eclipse jetty 9.2.13 cpe:2.3:a:eclipse:jetty:9.2.13:20150730:*:*:*:*:*:*
eclipse jetty 9.2.14 cpe:2.3:a:eclipse:jetty:9.2.14:20151106:*:*:*:*:*:*
eclipse jetty 9.2.15 cpe:2.3:a:eclipse:jetty:9.2.15:20160210:*:*:*:*:*:*
eclipse jetty 9.2.16 cpe:2.3:a:eclipse:jetty:9.2.16:20160407:*:*:*:*:*:*
eclipse jetty 9.2.16 cpe:2.3:a:eclipse:jetty:9.2.16:20160414:*:*:*:*:*:*
eclipse jetty 9.2.17 cpe:2.3:a:eclipse:jetty:9.2.17:20160517:*:*:*:*:*:*
eclipse jetty 9.2.18 cpe:2.3:a:eclipse:jetty:9.2.18:20160721:*:*:*:*:*:*
eclipse jetty 9.2.19 cpe:2.3:a:eclipse:jetty:9.2.19:20160908:*:*:*:*:*:*
eclipse jetty 9.2.20 cpe:2.3:a:eclipse:jetty:9.2.20:20161216:*:*:*:*:*:*
eclipse jetty 9.2.21 cpe:2.3:a:eclipse:jetty:9.2.21:20170120:*:*:*:*:*:*
eclipse jetty 9.2.22 cpe:2.3:a:eclipse:jetty:9.2.22:20170606:*:*:*:*:*:*
eclipse jetty 9.2.23 cpe:2.3:a:eclipse:jetty:9.2.23:20171218:*:*:*:*:*:*
eclipse jetty 9.2.24 cpe:2.3:a:eclipse:jetty:9.2.24:20180105:*:*:*:*:*:*
eclipse jetty 9.2.25 cpe:2.3:a:eclipse:jetty:9.2.25:20180606:*:*:*:*:*:*
eclipse jetty 9.2.26 cpe:2.3:a:eclipse:jetty:9.2.26:20180806:*:*:*:*:*:*
eclipse jetty 9.3.0 cpe:2.3:a:eclipse:jetty:9.3.0:20150601:*:*:*:*:*:*
eclipse jetty 9.3.0 cpe:2.3:a:eclipse:jetty:9.3.0:20150608:*:*:*:*:*:*
eclipse jetty 9.3.0 cpe:2.3:a:eclipse:jetty:9.3.0:20150612:*:*:*:*:*:*
eclipse jetty 9.3.0 cpe:2.3:a:eclipse:jetty:9.3.0:maintenance0:*:*:*:*:*:*
eclipse jetty 9.3.0 cpe:2.3:a:eclipse:jetty:9.3.0:maintenance1:*:*:*:*:*:*
eclipse jetty 9.3.0 cpe:2.3:a:eclipse:jetty:9.3.0:maintenance2:*:*:*:*:*:*
eclipse jetty 9.3.0 cpe:2.3:a:eclipse:jetty:9.3.0:rc0:*:*:*:*:*:*
eclipse jetty 9.3.0 cpe:2.3:a:eclipse:jetty:9.3.0:rc1:*:*:*:*:*:*
eclipse jetty 9.3.1 cpe:2.3:a:eclipse:jetty:9.3.1:20150714:*:*:*:*:*:*
eclipse jetty 9.3.2 cpe:2.3:a:eclipse:jetty:9.3.2:20150730:*:*:*:*:*:*
eclipse jetty 9.3.3 cpe:2.3:a:eclipse:jetty:9.3.3:20150825:*:*:*:*:*:*
eclipse jetty 9.3.3 cpe:2.3:a:eclipse:jetty:9.3.3:20150827:*:*:*:*:*:*
eclipse jetty 9.3.4 cpe:2.3:a:eclipse:jetty:9.3.4:20151005:*:*:*:*:*:*
eclipse jetty 9.3.4 cpe:2.3:a:eclipse:jetty:9.3.4:20151007:*:*:*:*:*:*
eclipse jetty 9.3.4 cpe:2.3:a:eclipse:jetty:9.3.4:rc0:*:*:*:*:*:*
eclipse jetty 9.3.4 cpe:2.3:a:eclipse:jetty:9.3.4:rc1:*:*:*:*:*:*
eclipse jetty 9.3.5 cpe:2.3:a:eclipse:jetty:9.3.5:20151012:*:*:*:*:*:*
eclipse jetty 9.3.6 cpe:2.3:a:eclipse:jetty:9.3.6:20151106:*:*:*:*:*:*
eclipse jetty 9.3.7 cpe:2.3:a:eclipse:jetty:9.3.7:20160115:*:*:*:*:*:*
eclipse jetty 9.3.7 cpe:2.3:a:eclipse:jetty:9.3.7:rc0:*:*:*:*:*:*
eclipse jetty 9.3.7 cpe:2.3:a:eclipse:jetty:9.3.7:rc1:*:*:*:*:*:*
eclipse jetty 9.3.8 cpe:2.3:a:eclipse:jetty:9.3.8:20160311:*:*:*:*:*:*
eclipse jetty 9.3.8 cpe:2.3:a:eclipse:jetty:9.3.8:20160314:*:*:*:*:*:*
eclipse jetty 9.3.8 cpe:2.3:a:eclipse:jetty:9.3.8:rc0:*:*:*:*:*:*
eclipse jetty 9.3.9 cpe:2.3:a:eclipse:jetty:9.3.9:20160517:*:*:*:*:*:*
eclipse jetty 9.3.9 cpe:2.3:a:eclipse:jetty:9.3.9:maintenance_0:*:*:*:*:*:*
eclipse jetty 9.3.9 cpe:2.3:a:eclipse:jetty:9.3.9:maintenance_1:*:*:*:*:*:*
eclipse jetty 9.3.10 cpe:2.3:a:eclipse:jetty:9.3.10:20160621:*:*:*:*:*:*
eclipse jetty 9.3.10 cpe:2.3:a:eclipse:jetty:9.3.10:maintenance_0:*:*:*:*:*:*
eclipse jetty 9.3.11 cpe:2.3:a:eclipse:jetty:9.3.11:20160721:*:*:*:*:*:*
eclipse jetty 9.3.11 cpe:2.3:a:eclipse:jetty:9.3.11:maintenance_0:*:*:*:*:*:*
eclipse jetty 9.3.12 cpe:2.3:a:eclipse:jetty:9.3.12:20160915:*:*:*:*:*:*
eclipse jetty 9.3.13 cpe:2.3:a:eclipse:jetty:9.3.13:20161014:*:*:*:*:*:*
eclipse jetty 9.3.13 cpe:2.3:a:eclipse:jetty:9.3.13:maintenance_0:*:*:*:*:*:*
eclipse jetty 9.3.14 cpe:2.3:a:eclipse:jetty:9.3.14:20161028:*:*:*:*:*:*
eclipse jetty 9.3.15 cpe:2.3:a:eclipse:jetty:9.3.15:20161220:*:*:*:*:*:*
eclipse jetty 9.3.16 cpe:2.3:a:eclipse:jetty:9.3.16:20170119:*:*:*:*:*:*
eclipse jetty 9.3.16 cpe:2.3:a:eclipse:jetty:9.3.16:20170120:*:*:*:*:*:*
eclipse jetty 9.3.17 cpe:2.3:a:eclipse:jetty:9.3.17:20170317:*:*:*:*:*:*
eclipse jetty 9.3.17 cpe:2.3:a:eclipse:jetty:9.3.17:rc0:*:*:*:*:*:*
eclipse jetty 9.3.18 cpe:2.3:a:eclipse:jetty:9.3.18:20170406:*:*:*:*:*:*
eclipse jetty 9.3.19 cpe:2.3:a:eclipse:jetty:9.3.19:20170502:*:*:*:*:*:*
eclipse jetty 9.3.20 cpe:2.3:a:eclipse:jetty:9.3.20:20170531:*:*:*:*:*:*
eclipse jetty 9.3.21 cpe:2.3:a:eclipse:jetty:9.3.21:20170918:*:*:*:*:*:*

References for CVE-2019-10241

URL Tags
https://bugs.eclipse.org/bugs/show_bug.cgi?id=546121 Issue Tracking Vendor Advisory
https://lists.apache.org/thread.html/01e004c3f7c7365863a27e7038b7f32dae56ccf3a496b277c9b7f7b6%40%3Cjira.kafka.apache.org%3E
https://lists.apache.org/thread.html/053d9ce4d579b02203db18545fee5e33f35f2932885459b74d1e4272%40%3Cissues.activemq.apache.org%3E
https://lists.apache.org/thread.html/464892b514c029dfc0c8656a93e1c0de983c473df70fdadbd224e09f%40%3Cjira.kafka.apache.org%3E
https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3E
https://lists.apache.org/thread.html/8bff534863c7aaf09bb17c3d0532777258dd3a5c7ddda34198cc2742%40%3Cdev.kafka.apache.org%3E
https://lists.apache.org/thread.html/ac51944aef91dd5006b8510b0bef337adaccfe962fb90e7af9c22db4%40%3Cissues.activemq.apache.org%3E
https://lists.apache.org/thread.html/bcfb37bfba7b3d7e9c7808b5e5a38a98d6bb714d52cf5162bdd48e32%40%3Cjira.kafka.apache.org%3E
https://lists.apache.org/thread.html/d7c4a664a34853f57c2163ab562f39802df5cf809523ea40c97289c1%40%3Cdev.kafka.apache.org%3E
https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3Cissues.drill.apache.org%3E
https://lists.debian.org/debian-lts-announce/2021/05/msg00016.html Mailing List Third Party Advisory
https://security.netapp.com/advisory/ntap-20190509-0003/ Third Party Advisory
https://www.debian.org/security/2021/dsa-4949 Third Party Advisory
https://www.oracle.com/security-alerts/cpuoct2020.html Patch Third Party Advisory
https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html Patch Third Party Advisory
cvelogic Threat Intelligence