{
  "threat_severity" : "Moderate",
  "public_date" : "2019-04-22T00:00:00Z",
  "bugzilla" : {
    "description" : "jetty: using specially formatted URL against DefaultServlet or ResourceHandler leads to XSS conditions",
    "id" : "1705924",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1705924"
  },
  "cvss3" : {
    "cvss3_base_score" : "4.7",
    "cvss3_scoring_vector" : "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N",
    "status" : "verified"
  },
  "cwe" : "CWE-79",
  "details" : [ "In Eclipse Jetty version 9.2.26 and older, 9.3.25 and older, and 9.4.15 and older, the server is vulnerable to XSS conditions if a remote client USES a specially formatted URL against the DefaultServlet or ResourceHandler that is configured for showing a Listing of directory contents." ],
  "statement" : "This issue affects the versions of jetty which is embedded in the nutch package as shipped with Red Hat Satellite 5. The jetty server is not exposed, as such exploitation is difficult, Red Hat Product Security has rated this issue as having security impact of Low in the context of Red Hat Satellite 5. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.",
  "affected_release" : [ {
    "product_name" : "Red Hat AMQ",
    "release_date" : "2020-03-23T00:00:00Z",
    "advisory" : "RHSA-2020:0922",
    "cpe" : "cpe:/a:redhat:amq_broker:7",
    "package" : "jetty"
  }, {
    "product_name" : "Red Hat AMQ 7.4.3",
    "release_date" : "2020-04-14T00:00:00Z",
    "advisory" : "RHSA-2020:1445",
    "cpe" : "cpe:/a:redhat:amq_broker:7",
    "package" : "jetty"
  }, {
    "product_name" : "Red Hat Fuse 7.6.0",
    "release_date" : "2020-03-26T00:00:00Z",
    "advisory" : "RHSA-2020:0983",
    "cpe" : "cpe:/a:redhat:jboss_fuse:7"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Out of support scope",
    "package_name" : "jetty-eclipse",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Will not fix",
    "package_name" : "jetty",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Fuse 7",
    "fix_state" : "Affected",
    "package_name" : "jetty",
    "cpe" : "cpe:/a:redhat:jboss_fuse:7"
  }, {
    "product_name" : "Red Hat JBoss A-MQ 6",
    "fix_state" : "Out of support scope",
    "package_name" : "jetty",
    "cpe" : "cpe:/a:redhat:jboss_amq:6"
  }, {
    "product_name" : "Red Hat JBoss Fuse 6",
    "fix_state" : "Out of support scope",
    "package_name" : "jetty",
    "cpe" : "cpe:/a:redhat:jboss_fuse:6"
  }, {
    "product_name" : "Red Hat Satellite 5",
    "fix_state" : "Out of support scope",
    "package_name" : "nutch",
    "cpe" : "cpe:/a:redhat:network_satellite:5",
    "impact" : "low"
  }, {
    "product_name" : "Red Hat Software Collections",
    "fix_state" : "Will not fix",
    "package_name" : "rh-java-common-jetty",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:3"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2019-10241\nhttps://nvd.nist.gov/vuln/detail/CVE-2019-10241" ],
  "name" : "CVE-2019-10241",
  "csaw" : false
}