Vulnerability Details CVE-2017-7657
In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), transfer-encoding chunks are handled poorly. The chunk length parsing was vulnerable to an integer overflow. Thus a large chunk size could be interpreted as a smaller chunk size and content sent as chunk body could be interpreted as a pipelined request. If Jetty was deployed behind an intermediary that imposed some authorization and that intermediary allowed arbitrarily large chunks to be passed on unchanged, then this flaw could be used to bypass the authorization imposed by the intermediary as the fake pipelined request would not be interpreted by the intermediary as a request.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.021
EPSS Ranking 83.2%
CVSS Severity
CVSS v3 Score 9.8
CVSS v2 Score 7.5
References
- http://www.securitytracker.com/id/1041194
- https://access.redhat.com/errata/RHSA-2019:0910
- https://bugs.eclipse.org/bugs/show_bug.cgi?id=535668
- https://lists.apache.org/thread.html/053d9ce4d579b02203db18545fee5e33f35f2932885459b74d1e4272%40%3Cissues.activemq.apache.org%3E
- https://lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451%40%3Csolr-user.lucene.apache.org%3E
- https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe%40%3Ccommits.druid.apache.org%3E
- https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0%40%3Cissues.bookkeeper.apache.org%3E
- https://lists.apache.org/thread.html/r41af10c4adec8d34a969abeb07fd0d6ad0c86768b751464f1cdd23e8%40%3Ccommits.druid.apache.org%3E
- https://lists.apache.org/thread.html/r9159c9e7ec9eac1613da2dbaddbc15691a13d4dbb2c8be974f42e6ae%40%3Ccommits.druid.apache.org%3E
- https://lists.apache.org/thread.html/ra6f956ed4ec2855583b2d0c8b4802b450f593d37b77509b48cd5d574%40%3Ccommits.druid.apache.org%3E
- https://security.netapp.com/advisory/ntap-20181014-0001/
- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbst03953en_us
- https://www.debian.org/security/2018/dsa-4278
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
- http://www.securitytracker.com/id/1041194
- https://access.redhat.com/errata/RHSA-2019:0910
- https://bugs.eclipse.org/bugs/show_bug.cgi?id=535668
- https://lists.apache.org/thread.html/053d9ce4d579b02203db18545fee5e33f35f2932885459b74d1e4272%40%3Cissues.activemq.apache.org%3E
- https://lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451%40%3Csolr-user.lucene.apache.org%3E
- https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe%40%3Ccommits.druid.apache.org%3E
- https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0%40%3Cissues.bookkeeper.apache.org%3E
- https://lists.apache.org/thread.html/r41af10c4adec8d34a969abeb07fd0d6ad0c86768b751464f1cdd23e8%40%3Ccommits.druid.apache.org%3E
- https://lists.apache.org/thread.html/r9159c9e7ec9eac1613da2dbaddbc15691a13d4dbb2c8be974f42e6ae%40%3Ccommits.druid.apache.org%3E
- https://lists.apache.org/thread.html/ra6f956ed4ec2855583b2d0c8b4802b450f593d37b77509b48cd5d574%40%3Ccommits.druid.apache.org%3E
- https://security.netapp.com/advisory/ntap-20181014-0001/
- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbst03953en_us
- https://www.debian.org/security/2018/dsa-4278
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
Products affected by CVE-2017-7657
-
cpe:2.3:a:eclipse:jetty:1.0
-
cpe:2.3:a:eclipse:jetty:1.0.1
-
cpe:2.3:a:eclipse:jetty:1.1
-
cpe:2.3:a:eclipse:jetty:1.1.1
-
cpe:2.3:a:eclipse:jetty:1.3
-
cpe:2.3:a:eclipse:jetty:1.3.0
-
cpe:2.3:a:eclipse:jetty:3.0.0
-
cpe:2.3:a:eclipse:jetty:4.1.0
-
cpe:2.3:a:eclipse:jetty:4.2.20
-
cpe:2.3:a:eclipse:jetty:4.2.21
-
cpe:2.3:a:eclipse:jetty:4.2.23
-
cpe:2.3:a:eclipse:jetty:4.2.24
-
cpe:2.3:a:eclipse:jetty:4.2.25
-
cpe:2.3:a:eclipse:jetty:4.2.26
-
cpe:2.3:a:eclipse:jetty:4.2.27
-
cpe:2.3:a:eclipse:jetty:5.0.0
-
cpe:2.3:a:eclipse:jetty:5.1.0
-
cpe:2.3:a:eclipse:jetty:5.1.1
-
cpe:2.3:a:eclipse:jetty:5.1.10
-
cpe:2.3:a:eclipse:jetty:5.1.11
-
cpe:2.3:a:eclipse:jetty:5.1.12
-
cpe:2.3:a:eclipse:jetty:5.1.2
-
cpe:2.3:a:eclipse:jetty:5.1.3
-
cpe:2.3:a:eclipse:jetty:5.1.4
-
cpe:2.3:a:eclipse:jetty:5.1.5
-
cpe:2.3:a:eclipse:jetty:5.1.6
-
cpe:2.3:a:eclipse:jetty:5.1.7
-
cpe:2.3:a:eclipse:jetty:5.1.8
-
cpe:2.3:a:eclipse:jetty:5.1.9
-
cpe:2.3:a:eclipse:jetty:6.0.0
-
cpe:2.3:a:eclipse:jetty:6.0.1
-
cpe:2.3:a:eclipse:jetty:6.0.2
-
cpe:2.3:a:eclipse:jetty:6.1.0
-
cpe:2.3:a:eclipse:jetty:6.1.1
-
cpe:2.3:a:eclipse:jetty:6.1.10
-
cpe:2.3:a:eclipse:jetty:6.1.11
-
cpe:2.3:a:eclipse:jetty:6.1.12
-
cpe:2.3:a:eclipse:jetty:6.1.14
-
cpe:2.3:a:eclipse:jetty:6.1.15
-
cpe:2.3:a:eclipse:jetty:6.1.16
-
cpe:2.3:a:eclipse:jetty:6.1.17
-
cpe:2.3:a:eclipse:jetty:6.1.18
-
cpe:2.3:a:eclipse:jetty:6.1.19
-
cpe:2.3:a:eclipse:jetty:6.1.2
-
cpe:2.3:a:eclipse:jetty:6.1.20
-
cpe:2.3:a:eclipse:jetty:6.1.21
-
cpe:2.3:a:eclipse:jetty:6.1.22
-
cpe:2.3:a:eclipse:jetty:6.1.23
-
cpe:2.3:a:eclipse:jetty:6.1.24
-
cpe:2.3:a:eclipse:jetty:6.1.25
-
cpe:2.3:a:eclipse:jetty:6.1.26
-
cpe:2.3:a:eclipse:jetty:6.1.3
-
cpe:2.3:a:eclipse:jetty:6.1.4
-
cpe:2.3:a:eclipse:jetty:6.1.5
-
cpe:2.3:a:eclipse:jetty:6.1.6
-
cpe:2.3:a:eclipse:jetty:6.1.7
-
cpe:2.3:a:eclipse:jetty:6.1.8
-
cpe:2.3:a:eclipse:jetty:6.1.9
-
cpe:2.3:a:eclipse:jetty:7.0.0
-
cpe:2.3:a:eclipse:jetty:7.0.1
-
cpe:2.3:a:eclipse:jetty:7.0.2
-
cpe:2.3:a:eclipse:jetty:7.1.0
-
cpe:2.3:a:eclipse:jetty:7.1.1
-
cpe:2.3:a:eclipse:jetty:7.1.2
-
cpe:2.3:a:eclipse:jetty:7.1.3
-
cpe:2.3:a:eclipse:jetty:7.1.4
-
cpe:2.3:a:eclipse:jetty:7.1.5
-
cpe:2.3:a:eclipse:jetty:7.1.6
-
cpe:2.3:a:eclipse:jetty:7.2.0
-
cpe:2.3:a:eclipse:jetty:7.2.1
-
cpe:2.3:a:eclipse:jetty:7.2.2
-
cpe:2.3:a:eclipse:jetty:7.3.0
-
cpe:2.3:a:eclipse:jetty:7.3.1
-
cpe:2.3:a:eclipse:jetty:7.4.0
-
cpe:2.3:a:eclipse:jetty:7.4.1
-
cpe:2.3:a:eclipse:jetty:7.4.2
-
cpe:2.3:a:eclipse:jetty:7.4.3
-
cpe:2.3:a:eclipse:jetty:7.4.4
-
cpe:2.3:a:eclipse:jetty:7.4.5
-
cpe:2.3:a:eclipse:jetty:7.5.0
-
cpe:2.3:a:eclipse:jetty:7.5.1
-
cpe:2.3:a:eclipse:jetty:7.5.2
-
cpe:2.3:a:eclipse:jetty:7.5.3
-
cpe:2.3:a:eclipse:jetty:7.5.4
-
cpe:2.3:a:eclipse:jetty:7.6.0
-
cpe:2.3:a:eclipse:jetty:7.6.1
-
cpe:2.3:a:eclipse:jetty:7.6.10
-
cpe:2.3:a:eclipse:jetty:7.6.11
-
cpe:2.3:a:eclipse:jetty:7.6.12
-
cpe:2.3:a:eclipse:jetty:7.6.13
-
cpe:2.3:a:eclipse:jetty:7.6.14
-
cpe:2.3:a:eclipse:jetty:7.6.15
-
cpe:2.3:a:eclipse:jetty:7.6.16
-
cpe:2.3:a:eclipse:jetty:7.6.17
-
cpe:2.3:a:eclipse:jetty:7.6.18
-
cpe:2.3:a:eclipse:jetty:7.6.19
-
cpe:2.3:a:eclipse:jetty:7.6.2
-
cpe:2.3:a:eclipse:jetty:7.6.20
-
cpe:2.3:a:eclipse:jetty:7.6.21
-
cpe:2.3:a:eclipse:jetty:7.6.3
-
cpe:2.3:a:eclipse:jetty:7.6.4
-
cpe:2.3:a:eclipse:jetty:7.6.5
-
cpe:2.3:a:eclipse:jetty:7.6.6
-
cpe:2.3:a:eclipse:jetty:7.6.7
-
cpe:2.3:a:eclipse:jetty:7.6.8
-
cpe:2.3:a:eclipse:jetty:7.6.9
-
cpe:2.3:a:eclipse:jetty:8-historical
-
cpe:2.3:a:eclipse:jetty:8.0.0
-
cpe:2.3:a:eclipse:jetty:8.0.1
-
cpe:2.3:a:eclipse:jetty:8.0.2
-
cpe:2.3:a:eclipse:jetty:8.0.3
-
cpe:2.3:a:eclipse:jetty:8.0.4
-
cpe:2.3:a:eclipse:jetty:8.1.0
-
cpe:2.3:a:eclipse:jetty:8.1.1
-
cpe:2.3:a:eclipse:jetty:8.1.10
-
cpe:2.3:a:eclipse:jetty:8.1.11
-
cpe:2.3:a:eclipse:jetty:8.1.12
-
cpe:2.3:a:eclipse:jetty:8.1.13
-
cpe:2.3:a:eclipse:jetty:8.1.14
-
cpe:2.3:a:eclipse:jetty:8.1.15
-
cpe:2.3:a:eclipse:jetty:8.1.16
-
cpe:2.3:a:eclipse:jetty:8.1.17
-
cpe:2.3:a:eclipse:jetty:8.1.18
-
cpe:2.3:a:eclipse:jetty:8.1.19
-
cpe:2.3:a:eclipse:jetty:8.1.2
-
cpe:2.3:a:eclipse:jetty:8.1.20
-
cpe:2.3:a:eclipse:jetty:8.1.21
-
cpe:2.3:a:eclipse:jetty:8.1.22
-
cpe:2.3:a:eclipse:jetty:8.1.3
-
cpe:2.3:a:eclipse:jetty:8.1.4
-
cpe:2.3:a:eclipse:jetty:8.1.5
-
cpe:2.3:a:eclipse:jetty:8.1.6
-
cpe:2.3:a:eclipse:jetty:8.1.7
-
cpe:2.3:a:eclipse:jetty:8.1.8
-
cpe:2.3:a:eclipse:jetty:8.1.9
-
cpe:2.3:a:eclipse:jetty:8.2.0
-
cpe:2.3:a:eclipse:jetty:9.0.0
-
cpe:2.3:a:eclipse:jetty:9.0.1
-
cpe:2.3:a:eclipse:jetty:9.0.2
-
cpe:2.3:a:eclipse:jetty:9.0.3
-
cpe:2.3:a:eclipse:jetty:9.0.4
-
cpe:2.3:a:eclipse:jetty:9.0.5
-
cpe:2.3:a:eclipse:jetty:9.0.6
-
cpe:2.3:a:eclipse:jetty:9.0.7
-
cpe:2.3:a:eclipse:jetty:9.1.0
-
cpe:2.3:a:eclipse:jetty:9.1.1
-
cpe:2.3:a:eclipse:jetty:9.1.2
-
cpe:2.3:a:eclipse:jetty:9.1.3
-
cpe:2.3:a:eclipse:jetty:9.1.4
-
cpe:2.3:a:eclipse:jetty:9.1.5
-
cpe:2.3:a:eclipse:jetty:9.1.6
-
cpe:2.3:a:eclipse:jetty:9.2.0
-
cpe:2.3:a:eclipse:jetty:9.2.1
-
cpe:2.3:a:eclipse:jetty:9.2.10
-
cpe:2.3:a:eclipse:jetty:9.2.11
-
cpe:2.3:a:eclipse:jetty:9.2.12
-
cpe:2.3:a:eclipse:jetty:9.2.13
-
cpe:2.3:a:eclipse:jetty:9.2.14
-
cpe:2.3:a:eclipse:jetty:9.2.15
-
cpe:2.3:a:eclipse:jetty:9.2.16
-
cpe:2.3:a:eclipse:jetty:9.2.17
-
cpe:2.3:a:eclipse:jetty:9.2.18
-
cpe:2.3:a:eclipse:jetty:9.2.19
-
cpe:2.3:a:eclipse:jetty:9.2.2
-
cpe:2.3:a:eclipse:jetty:9.2.20
-
cpe:2.3:a:eclipse:jetty:9.2.21
-
cpe:2.3:a:eclipse:jetty:9.2.22
-
cpe:2.3:a:eclipse:jetty:9.2.23
-
cpe:2.3:a:eclipse:jetty:9.2.24
-
cpe:2.3:a:eclipse:jetty:9.2.25
-
cpe:2.3:a:eclipse:jetty:9.2.26
-
cpe:2.3:a:eclipse:jetty:9.2.3
-
cpe:2.3:a:eclipse:jetty:9.2.4
-
cpe:2.3:a:eclipse:jetty:9.2.5
-
cpe:2.3:a:eclipse:jetty:9.2.6
-
cpe:2.3:a:eclipse:jetty:9.2.7
-
cpe:2.3:a:eclipse:jetty:9.2.8
-
cpe:2.3:a:eclipse:jetty:9.2.9
-
cpe:2.3:a:eclipse:jetty:9.3.0
-
cpe:2.3:a:eclipse:jetty:9.3.1
-
cpe:2.3:a:eclipse:jetty:9.3.10
-
cpe:2.3:a:eclipse:jetty:9.3.11
-
cpe:2.3:a:eclipse:jetty:9.3.12
-
cpe:2.3:a:eclipse:jetty:9.3.13
-
cpe:2.3:a:eclipse:jetty:9.3.14
-
cpe:2.3:a:eclipse:jetty:9.3.15
-
cpe:2.3:a:eclipse:jetty:9.3.16
-
cpe:2.3:a:eclipse:jetty:9.3.17
-
cpe:2.3:a:eclipse:jetty:9.3.18
-
cpe:2.3:a:eclipse:jetty:9.3.19
-
cpe:2.3:a:eclipse:jetty:9.3.2
-
cpe:2.3:a:eclipse:jetty:9.3.20
-
cpe:2.3:a:eclipse:jetty:9.3.21
-
cpe:2.3:a:eclipse:jetty:9.3.22
-
cpe:2.3:a:eclipse:jetty:9.3.23
-
cpe:2.3:a:eclipse:jetty:9.3.3
-
cpe:2.3:a:eclipse:jetty:9.3.4
-
cpe:2.3:a:eclipse:jetty:9.3.5
-
cpe:2.3:a:eclipse:jetty:9.3.6
-
cpe:2.3:a:eclipse:jetty:9.3.7
-
cpe:2.3:a:eclipse:jetty:9.3.8
-
cpe:2.3:a:eclipse:jetty:9.3.9
-
cpe:2.3:a:eclipse:jetty:9.4.0
-
cpe:2.3:a:eclipse:jetty:9.4.1
-
cpe:2.3:a:eclipse:jetty:9.4.10
-
cpe:2.3:a:eclipse:jetty:9.4.2
-
cpe:2.3:a:eclipse:jetty:9.4.3
-
cpe:2.3:a:eclipse:jetty:9.4.4
-
cpe:2.3:a:eclipse:jetty:9.4.5
-
cpe:2.3:a:eclipse:jetty:9.4.6
-
cpe:2.3:a:eclipse:jetty:9.4.7
-
cpe:2.3:a:eclipse:jetty:9.4.8
-
cpe:2.3:a:eclipse:jetty:9.4.9
-
cpe:2.3:a:hp:xp_p9000_command_view:8.4.0-00
-
cpe:2.3:a:netapp:e-series_santricity_management:-
-
cpe:2.3:a:netapp:e-series_santricity_os_controller:11.0
-
cpe:2.3:a:netapp:e-series_santricity_os_controller:11.0.0
-
cpe:2.3:a:netapp:e-series_santricity_os_controller:11.20
-
cpe:2.3:a:netapp:e-series_santricity_os_controller:11.25
-
cpe:2.3:a:netapp:e-series_santricity_os_controller:11.30
-
cpe:2.3:a:netapp:e-series_santricity_os_controller:11.30.5r3
-
cpe:2.3:a:netapp:e-series_santricity_os_controller:11.40
-
cpe:2.3:a:netapp:e-series_santricity_os_controller:11.40.3r2
-
cpe:2.3:a:netapp:e-series_santricity_os_controller:11.40.5
-
cpe:2.3:a:netapp:e-series_santricity_os_controller:11.50.1
-
cpe:2.3:a:netapp:e-series_santricity_web_services:-
-
cpe:2.3:a:netapp:element_software:-
-
cpe:2.3:a:netapp:element_software_management_node:-
-
cpe:2.3:a:netapp:hci_storage_nodes:-
-
cpe:2.3:a:netapp:oncommand_system_manager:3.x
-
cpe:2.3:a:netapp:oncommand_unified_manager:-
-
cpe:2.3:a:netapp:oncommand_unified_manager:5.1
-
cpe:2.3:a:netapp:oncommand_unified_manager:5.2.1
-
cpe:2.3:a:netapp:oncommand_unified_manager:5.2.2
-
cpe:2.3:a:netapp:oncommand_unified_manager:5.2.3
-
cpe:2.3:a:netapp:santricity_cloud_connector:-
-
cpe:2.3:a:netapp:snap_creator_framework:-
-
cpe:2.3:a:netapp:snap_creator_framework:4.1.0
-
cpe:2.3:a:netapp:snap_creator_framework:4.1.1
-
cpe:2.3:a:netapp:snap_creator_framework:4.1.2
-
cpe:2.3:a:netapp:snap_creator_framework:4.3
-
cpe:2.3:a:netapp:snap_creator_framework:4.3.0
-
cpe:2.3:a:netapp:snap_creator_framework:4.3.1
-
cpe:2.3:a:netapp:snap_creator_framework:4.3.2
-
cpe:2.3:a:netapp:snapcenter:-
-
cpe:2.3:a:netapp:snapcenter:1.0
-
cpe:2.3:a:netapp:snapcenter:1.0.1
-
cpe:2.3:a:netapp:snapcenter:1.1
-
cpe:2.3:a:netapp:snapcenter:2.0
-
cpe:2.3:a:netapp:snapcenter:3.0
-
cpe:2.3:a:netapp:snapcenter:3.0.1
-
cpe:2.3:a:netapp:snapcenter:4.0
-
cpe:2.3:a:netapp:snapcenter:4.1
-
cpe:2.3:a:netapp:snapcenter:4.1.1
-
cpe:2.3:a:netapp:snapmanager:-
-
cpe:2.3:a:netapp:snapmanager:1.1.1
-
cpe:2.3:a:netapp:snapmanager:2.0
-
cpe:2.3:a:netapp:snapmanager:2.1
-
cpe:2.3:a:netapp:snapmanager:2.2
-
cpe:2.3:a:netapp:snapmanager:3.0
-
cpe:2.3:a:netapp:snapmanager:3.1
-
cpe:2.3:a:netapp:snapmanager:3.2
-
cpe:2.3:a:netapp:snapmanager:3.3
-
cpe:2.3:a:netapp:snapmanager:3.3.1
-
cpe:2.3:a:netapp:snapmanager:3.4
-
cpe:2.3:a:oracle:rest_data_services:11.2.0.4
-
cpe:2.3:a:oracle:rest_data_services:12.1.0.2
-
cpe:2.3:a:oracle:rest_data_services:12.2.0.1
-
cpe:2.3:a:oracle:rest_data_services:18c
-
cpe:2.3:a:oracle:retail_xstore_point_of_service:15.0
-
cpe:2.3:a:oracle:retail_xstore_point_of_service:16.0
-
cpe:2.3:a:oracle:retail_xstore_point_of_service:17.0
-
cpe:2.3:a:oracle:retail_xstore_point_of_service:7.1
-
cpe:2.3:h:hp:xp_p9000:-
-
cpe:2.3:o:debian:debian_linux:9.0