CVE-2017-7658
CRITICALEclipse Jetty Server <9.2.x-9.4.x - Info Disclosure
Title source: llmDescription
In Eclipse Jetty Server, versions 9.2.x and older, 9.3.x (all non HTTP/1.x configurations), and 9.4.x (all HTTP/1.x configurations), when presented with two content-lengths headers, Jetty ignored the second. When presented with a content-length and a chunked encoding header, the content-length was ignored (as per RFC 2616). If an intermediary decided on the shorter length, but still passed on the longer body, then body content could be interpreted by Jetty as a pipelined request. If the intermediary was imposing authorization, the fake pipelined request would bypass that authorization.
References (17)
Core 17
Core References
Third Party Advisory vendor-advisory
x_refsource_debian
https://www.debian.org/security/2018/dsa-4278
Third Party Advisory, VDB Entry vdb-entry
x_refsource_sectrack
http://www.securitytracker.com/id/1041194
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/106566
Mailing List mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451%40%3Csolr-user.lucene.apache.org%3E
Mailing List mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/053d9ce4d579b02203db18545fee5e33f35f2932885459b74d1e4272%40%3Cissues.activemq.apache.org%3E
Mailing List mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe%40%3Ccommits.druid.apache.org%3E
Patch, Third Party Advisory x_refsource_confirm
https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html
Patch, Third Party Advisory x_refsource_misc
https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
Mailing List mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0%40%3Cissues.bookkeeper.apache.org%3E
Third Party Advisory x_refsource_misc
https://www.oracle.com/security-alerts/cpuoct2020.html
Third Party Advisory x_refsource_confirm
https://security.netapp.com/advisory/ntap-20181014-0001/
Third Party Advisory x_refsource_confirm
https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbst03953en_us
Third Party Advisory x_refsource_confirm
https://bugs.eclipse.org/bugs/show_bug.cgi?id=535669
Mailing List mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/ra6f956ed4ec2855583b2d0c8b4802b450f593d37b77509b48cd5d574%40%3Ccommits.druid.apache.org%3E
Mailing List mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/r41af10c4adec8d34a969abeb07fd0d6ad0c86768b751464f1cdd23e8%40%3Ccommits.druid.apache.org%3E
Mailing List mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/r9159c9e7ec9eac1613da2dbaddbc15691a13d4dbb2c8be974f42e6ae%40%3Ccommits.druid.apache.org%3E
Vendor Advisory x_refsource_misc
https://www.oracle.com//security-alerts/cpujul2021.html
Scores
CVSS v3
9.8
EPSS
0.2099
EPSS Percentile
97.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-444
Status
published
Products (26)
debian/debian_linux
9.0
eclipse/jetty
< 9.2.26
hp/xp_p9000_command_view
8.4.0-00 - 8.6.2-00
netapp/e-series_santricity_management
netapp/e-series_santricity_os_controller
11.0 - 11.50.1
netapp/e-series_santricity_web_services
netapp/hci_management_node
netapp/hci_storage_node
netapp/oncommand_system_manager
3.0 - 3.1.3
netapp/oncommand_unified_manager_for_7-mode
... and 16 more
Published
Jun 26, 2018
Tracked Since
Feb 18, 2026