CVE-2017-7658

State: PUBLISHED · Published: 2018-06-26 · Updated: 2024-08-05 · Assigner: eclipse

Description

In Eclipse Jetty Server, versions 9.2.x and older, 9.3.x (all non HTTP/1.x configurations), and 9.4.x (all HTTP/1.x configurations), when presented with two content-lengths headers, Jetty ignored the second. When presented with a content-length and a chunked encoding header, the content-length was ignored (as per RFC 2616). If an intermediary decided on the shorter length, but still passed on the longer body, then body content could be interpreted by Jetty as a pipelined request. If the intermediary was imposing authorization, the fake pipelined request would bypass that authorization.

CWE

CWE-444 — CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

Affected

The Eclipse Foundation / Eclipse Jetty — v=unspecified <9.2.25 [affected]; v=9.3.0 <unspecified [affected]; v=unspecified <9.3.24 [affected]; v=9.4.0 <unspecified [affected]; v=unspecified <9.4.11 [affected]

CVSS

(none)

References

https://www.debian.org/security/2018/dsa-4278 vendor-advisory, x_refsource_DEBIAN
http://www.securitytracker.com/id/1041194 vdb-entry, x_refsource_SECTRACK
http://www.securityfocus.com/bid/106566 vdb-entry, x_refsource_BID
https://lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451%40%3Csolr-user.lucene.apache.org%3E mailing-list, x_refsource_MLIST
https://lists.apache.org/thread.html/053d9ce4d579b02203db18545fee5e33f35f2932885459b74d1e4272%40%3Cissues.activemq.apache.org%3E mailing-list, x_refsource_MLIST
https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe%40%3Ccommits.druid.apache.org%3E mailing-list, x_refsource_MLIST
https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html x_refsource_CONFIRM
https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html x_refsource_MISC
https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0%40%3Cissues.bookkeeper.apache.org%3E mailing-list, x_refsource_MLIST
https://www.oracle.com/security-alerts/cpuoct2020.html x_refsource_MISC
https://security.netapp.com/advisory/ntap-20181014-0001/ x_refsource_CONFIRM
https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbst03953en_us x_refsource_CONFIRM
https://bugs.eclipse.org/bugs/show_bug.cgi?id=535669 x_refsource_CONFIRM
https://lists.apache.org/thread.html/ra6f956ed4ec2855583b2d0c8b4802b450f593d37b77509b48cd5d574%40%3Ccommits.druid.apache.org%3E mailing-list, x_refsource_MLIST
https://lists.apache.org/thread.html/r41af10c4adec8d34a969abeb07fd0d6ad0c86768b751464f1cdd23e8%40%3Ccommits.druid.apache.org%3E mailing-list, x_refsource_MLIST
https://lists.apache.org/thread.html/r9159c9e7ec9eac1613da2dbaddbc15691a13d4dbb2c8be974f42e6ae%40%3Ccommits.druid.apache.org%3E mailing-list, x_refsource_MLIST
https://www.oracle.com//security-alerts/cpujul2021.html x_refsource_MISC

Source

cvelistV5-main/cves/2017/7xxx/CVE-2017-7658.json