In Eclipse Jetty Server, all 9.x versions, on webapps deployed using default Error Handling, when an intentionally bad query arrives that doesn't match a dynamic url-pattern, and is eventually handled by the DefaultServlet's static file serving, the bad characters can trigger a java.nio.file.InvalidPathException which includes the full path to the base resource directory that the DefaultServlet and/or webapp is using. If this InvalidPathException is then handled by the default Error Handler, the InvalidPathException message is included in the error response, revealing the full server path to the requesting system.

Affected Packages

Maven org.eclipse.jetty:jetty-server

Affected versions: 9.4.0 (fixed in 9.4.11.v20180605)

Maven org.eclipse.jetty:jetty-server

Affected versions: 9.0.0 (fixed in 9.3.24.v20180605)

Related CVEs

CVE-2018-12536

Key Information

GHSA ID

GHSA-9rgv-h7x4-qw8g

Published

October 19, 2018 4:15 PM

Last Modified

August 18, 2023 4:47 PM

CVSS Score

5.0 /10

Primary Ecosystem

Maven

Primary Package

org.eclipse.jetty:jetty-server

GitHub Reviewed

✓ Yes

Dataset

Last updated: November 25, 2025 6:29 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.