CVE-2017-7658

CRITICALImmediate

Published:Jun 26, 2018(7 years ago)

Modified:Nov 21, 2024

Remote ExploitNo Auth RequiredNo InteractionLow Complexity

Vulnerability Description

In Eclipse Jetty Server, versions 9.2.x and older, 9.3.x (all non HTTP/1.x configurations), and 9.4.x (all HTTP/1.x configurations), when presented with two content-lengths headers, Jetty ignored the second. When presented with a content-length and a chunked encoding header, the content-length was ignored (as per RFC 2616). If an intermediary decided on the shorter length, but still passed on the longer body, then body content could be interpreted by Jetty as a pipelined request. If the intermediary was imposing authorization, the fake pipelined request would bypass that authorization.

Attack Characteristics

Network AccessLow ComplexityNo Auth NeededNo User Interaction

🤖

AI analysis not yet available

Plain-English explanation, risk summary, and remediation steps will appear here once AI analysis is complete.

No Fix Known

No patch has been released yet. Apply workarounds or mitigations where available.

Affected Software

Vendor	Product	Versions	Fixed In
eclipse	jetty	9.2.26	-
eclipse	jetty	9.3.0 - 9.3.24	-
eclipse	jetty	9.4.0 - 9.4.11

Timeline

Published
CVE disclosed publicly
Jun 26, 20187 years ago
Last Modified
Most recent update
Nov 21, 20241 year ago
Indexed to CVEInsight
Added to this platform
Mar 29, 20261 month ago

References

http://www.securityfocus.com/bid/106566Third Party Advisory
http://www.securitytracker.com/id/1041194Third Party Advisory
https://bugs.eclipse.org/bugs/show_bug.cgi?id=535669Third Party Advisory

CVSS Score

v3.1

9.8/ 10.0

CRITICAL

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

At a Glance

Affected Products

References

eclipse / jetty

https://lists.apache.org/thread.html/053d9ce4d579b02203db18545fee5e33f...

https://lists.apache.org/thread.html/708d94141126eac03011144a971a6411f...

https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8dae...

https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b4...

https://lists.apache.org/thread.html/r41af10c4adec8d34a969abeb07fd0d6a...

https://lists.apache.org/thread.html/r9159c9e7ec9eac1613da2dbaddbc1569...

https://lists.apache.org/thread.html/ra6f956ed4ec2855583b2d0c8b4802b45...

https://security.netapp.com/advisory/ntap-20181014-0001/Third Party Advisory

https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=...Third Party Advisory

https://www.debian.org/security/2018/dsa-4278Third Party Advisory

https://www.oracle.com//security-alerts/cpujul2021.html

https://www.oracle.com/security-alerts/cpuoct2020.htmlThird Party Advisory

https://www.oracle.com/technetwork/security-advisory/cpujan2019-507280...Patch

https://www.oracle.com/technetwork/security-advisory/cpuoct2019-507283...Patch

http://www.securityfocus.com/bid/106566Third Party Advisory

http://www.securitytracker.com/id/1041194Third Party Advisory

https://bugs.eclipse.org/bugs/show_bug.cgi?id=535669Third Party Advisory