CVE-2017-7658

CWE-444HTTP Request Smuggling10 documents8 sources
Severity
9.8CRITICAL
EPSS
8.0%
top 7.88%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
9
THE Eclipse Foundation Eclipse JettyEclipse JettyHP XP P9000 Command View+6 more
Timeline
PublishedJun 26
Latest updateOct 15

Description

In Eclipse Jetty Server, versions 9.2.x and older, 9.3.x (all non HTTP/1.x configurations), and 9.4.x (all HTTP/1.x configurations), when presented with two content-lengths headers, Jetty ignored the second. When presented with a content-length and a chunked encoding header, the content-length was ignored (as per RFC 2616). If an intermediary decided on the shorter length, but still passed on the longer body, then body content could be interpreted by Jetty as a pipelined request. If the intermed

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages10 packages

Mavenorg.eclipse.jetty:jetty-server9.3.09.3.24.v20180605+2
NVDeclipse/jetty9.3.09.3.24+2
CVEListV5the_eclipse_foundation/eclipse_jettyunspecified9.2.25+4
Debianjetty9< 9.2.25-1+3
NVDhp/xp_p9000_command_view8.4.0-008.6.2-00

Also affects: Debian Linux 9.0

Patches

Patch: www.oracle.comPatch: www.oracle.comPatch: www.oracle.com

🔴Vulnerability Details

4
GHSA
Jetty vulnerable to authorization bypass due to inconsistent HTTP request handling (HTTP Request Smuggling)2018-10-19
OSV
Jetty vulnerable to authorization bypass due to inconsistent HTTP request handling (HTTP Request Smuggling)2018-10-19
CVEList
CVE-2017-7658: In Eclipse Jetty Server, versions 92018-06-26
OSV
CVE-2017-7658: In Eclipse Jetty Server, versions 92018-06-26

📋Vendor Advisories

3
Oracle
Oracle Oracle REST Data Services Risk Matrix: General (Eclipse Jetty) — CVE-2017-76582020-10-15
Red Hat
jetty: Incorrect header handling2018-06-07
Debian
CVE-2017-7658: jetty9 - In Eclipse Jetty Server, versions 9.2.x and older, 9.3.x (all non HTTP/1.x confi...2017

💬Community

2
Bugzilla
CVE-2017-7658 jetty: Incorrect header handling2018-06-27
Bugzilla
CVE-2017-7656 CVE-2017-7657 CVE-2017-7658 jetty: various flaws [fedora-all]2018-06-27
CVE-2017-7658 (CRITICAL CVSS 9.8) | In Eclipse Jetty Server | cvebase.io