Vulnerability Details CVE-2017-7658
In Eclipse Jetty Server, versions 9.2.x and older, 9.3.x (all non HTTP/1.x configurations), and 9.4.x (all HTTP/1.x configurations), when presented with two content-lengths headers, Jetty ignored the second. When presented with a content-length and a chunked encoding header, the content-length was ignored (as per RFC 2616). If an intermediary decided on the shorter length, but still passed on the longer body, then body content could be interpreted by Jetty as a pipelined request. If the intermediary was imposing authorization, the fake pipelined request would bypass that authorization.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.061
EPSS Ranking 90.3%
CVSS Severity
CVSS v3 Score 9.8
CVSS v2 Score 7.5
References
- http://www.securityfocus.com/bid/106566
- http://www.securitytracker.com/id/1041194
- https://bugs.eclipse.org/bugs/show_bug.cgi?id=535669
- https://lists.apache.org/thread.html/053d9ce4d579b02203db18545fee5e33f35f2932885459b74d1e4272%40%3Cissues.activemq.apache.org%3E
- https://lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451%40%3Csolr-user.lucene.apache.org%3E
- https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe%40%3Ccommits.druid.apache.org%3E
- https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0%40%3Cissues.bookkeeper.apache.org%3E
- https://lists.apache.org/thread.html/r41af10c4adec8d34a969abeb07fd0d6ad0c86768b751464f1cdd23e8%40%3Ccommits.druid.apache.org%3E
- https://lists.apache.org/thread.html/r9159c9e7ec9eac1613da2dbaddbc15691a13d4dbb2c8be974f42e6ae%40%3Ccommits.druid.apache.org%3E
- https://lists.apache.org/thread.html/ra6f956ed4ec2855583b2d0c8b4802b450f593d37b77509b48cd5d574%40%3Ccommits.druid.apache.org%3E
- https://security.netapp.com/advisory/ntap-20181014-0001/
- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbst03953en_us
- https://www.debian.org/security/2018/dsa-4278
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html
- https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
- http://www.securityfocus.com/bid/106566
- http://www.securitytracker.com/id/1041194
- https://bugs.eclipse.org/bugs/show_bug.cgi?id=535669
- https://lists.apache.org/thread.html/053d9ce4d579b02203db18545fee5e33f35f2932885459b74d1e4272%40%3Cissues.activemq.apache.org%3E
- https://lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451%40%3Csolr-user.lucene.apache.org%3E
- https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe%40%3Ccommits.druid.apache.org%3E
- https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0%40%3Cissues.bookkeeper.apache.org%3E
- https://lists.apache.org/thread.html/r41af10c4adec8d34a969abeb07fd0d6ad0c86768b751464f1cdd23e8%40%3Ccommits.druid.apache.org%3E
- https://lists.apache.org/thread.html/r9159c9e7ec9eac1613da2dbaddbc15691a13d4dbb2c8be974f42e6ae%40%3Ccommits.druid.apache.org%3E
- https://lists.apache.org/thread.html/ra6f956ed4ec2855583b2d0c8b4802b450f593d37b77509b48cd5d574%40%3Ccommits.druid.apache.org%3E
- https://security.netapp.com/advisory/ntap-20181014-0001/
- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbst03953en_us
- https://www.debian.org/security/2018/dsa-4278
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html
- https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
Products affected by CVE-2017-7658
-
cpe:2.3:a:eclipse:jetty:1.0
-
cpe:2.3:a:eclipse:jetty:1.0.1
-
cpe:2.3:a:eclipse:jetty:1.1
-
cpe:2.3:a:eclipse:jetty:1.1.1
-
cpe:2.3:a:eclipse:jetty:1.3
-
cpe:2.3:a:eclipse:jetty:1.3.0
-
cpe:2.3:a:eclipse:jetty:3.0.0
-
cpe:2.3:a:eclipse:jetty:4.1.0
-
cpe:2.3:a:eclipse:jetty:4.2.20
-
cpe:2.3:a:eclipse:jetty:4.2.21
-
cpe:2.3:a:eclipse:jetty:4.2.23
-
cpe:2.3:a:eclipse:jetty:4.2.24
-
cpe:2.3:a:eclipse:jetty:4.2.25
-
cpe:2.3:a:eclipse:jetty:4.2.26
-
cpe:2.3:a:eclipse:jetty:4.2.27
-
cpe:2.3:a:eclipse:jetty:5.0.0
-
cpe:2.3:a:eclipse:jetty:5.1.0
-
cpe:2.3:a:eclipse:jetty:5.1.1
-
cpe:2.3:a:eclipse:jetty:5.1.10
-
cpe:2.3:a:eclipse:jetty:5.1.11
-
cpe:2.3:a:eclipse:jetty:5.1.12
-
cpe:2.3:a:eclipse:jetty:5.1.2
-
cpe:2.3:a:eclipse:jetty:5.1.3
-
cpe:2.3:a:eclipse:jetty:5.1.4
-
cpe:2.3:a:eclipse:jetty:5.1.5
-
cpe:2.3:a:eclipse:jetty:5.1.6
-
cpe:2.3:a:eclipse:jetty:5.1.7
-
cpe:2.3:a:eclipse:jetty:5.1.8
-
cpe:2.3:a:eclipse:jetty:5.1.9
-
cpe:2.3:a:eclipse:jetty:6.0.0
-
cpe:2.3:a:eclipse:jetty:6.0.1
-
cpe:2.3:a:eclipse:jetty:6.0.2
-
cpe:2.3:a:eclipse:jetty:6.1.0
-
cpe:2.3:a:eclipse:jetty:6.1.1
-
cpe:2.3:a:eclipse:jetty:6.1.10
-
cpe:2.3:a:eclipse:jetty:6.1.11
-
cpe:2.3:a:eclipse:jetty:6.1.12
-
cpe:2.3:a:eclipse:jetty:6.1.14
-
cpe:2.3:a:eclipse:jetty:6.1.15
-
cpe:2.3:a:eclipse:jetty:6.1.16
-
cpe:2.3:a:eclipse:jetty:6.1.17
-
cpe:2.3:a:eclipse:jetty:6.1.18
-
cpe:2.3:a:eclipse:jetty:6.1.19
-
cpe:2.3:a:eclipse:jetty:6.1.2
-
cpe:2.3:a:eclipse:jetty:6.1.20
-
cpe:2.3:a:eclipse:jetty:6.1.21
-
cpe:2.3:a:eclipse:jetty:6.1.22
-
cpe:2.3:a:eclipse:jetty:6.1.23
-
cpe:2.3:a:eclipse:jetty:6.1.24
-
cpe:2.3:a:eclipse:jetty:6.1.25
-
cpe:2.3:a:eclipse:jetty:6.1.26
-
cpe:2.3:a:eclipse:jetty:6.1.3
-
cpe:2.3:a:eclipse:jetty:6.1.4
-
cpe:2.3:a:eclipse:jetty:6.1.5
-
cpe:2.3:a:eclipse:jetty:6.1.6
-
cpe:2.3:a:eclipse:jetty:6.1.7
-
cpe:2.3:a:eclipse:jetty:6.1.8
-
cpe:2.3:a:eclipse:jetty:6.1.9
-
cpe:2.3:a:eclipse:jetty:7.0.0
-
cpe:2.3:a:eclipse:jetty:7.0.1
-
cpe:2.3:a:eclipse:jetty:7.0.2
-
cpe:2.3:a:eclipse:jetty:7.1.0
-
cpe:2.3:a:eclipse:jetty:7.1.1
-
cpe:2.3:a:eclipse:jetty:7.1.2
-
cpe:2.3:a:eclipse:jetty:7.1.3
-
cpe:2.3:a:eclipse:jetty:7.1.4
-
cpe:2.3:a:eclipse:jetty:7.1.5
-
cpe:2.3:a:eclipse:jetty:7.1.6
-
cpe:2.3:a:eclipse:jetty:7.2.0
-
cpe:2.3:a:eclipse:jetty:7.2.1
-
cpe:2.3:a:eclipse:jetty:7.2.2
-
cpe:2.3:a:eclipse:jetty:7.3.0
-
cpe:2.3:a:eclipse:jetty:7.3.1
-
cpe:2.3:a:eclipse:jetty:7.4.0
-
cpe:2.3:a:eclipse:jetty:7.4.1
-
cpe:2.3:a:eclipse:jetty:7.4.2
-
cpe:2.3:a:eclipse:jetty:7.4.3
-
cpe:2.3:a:eclipse:jetty:7.4.4
-
cpe:2.3:a:eclipse:jetty:7.4.5
-
cpe:2.3:a:eclipse:jetty:7.5.0
-
cpe:2.3:a:eclipse:jetty:7.5.1
-
cpe:2.3:a:eclipse:jetty:7.5.2
-
cpe:2.3:a:eclipse:jetty:7.5.3
-
cpe:2.3:a:eclipse:jetty:7.5.4
-
cpe:2.3:a:eclipse:jetty:7.6.0
-
cpe:2.3:a:eclipse:jetty:7.6.1
-
cpe:2.3:a:eclipse:jetty:7.6.10
-
cpe:2.3:a:eclipse:jetty:7.6.11
-
cpe:2.3:a:eclipse:jetty:7.6.12
-
cpe:2.3:a:eclipse:jetty:7.6.13
-
cpe:2.3:a:eclipse:jetty:7.6.14
-
cpe:2.3:a:eclipse:jetty:7.6.15
-
cpe:2.3:a:eclipse:jetty:7.6.16
-
cpe:2.3:a:eclipse:jetty:7.6.17
-
cpe:2.3:a:eclipse:jetty:7.6.18
-
cpe:2.3:a:eclipse:jetty:7.6.19
-
cpe:2.3:a:eclipse:jetty:7.6.2
-
cpe:2.3:a:eclipse:jetty:7.6.20
-
cpe:2.3:a:eclipse:jetty:7.6.21
-
cpe:2.3:a:eclipse:jetty:7.6.3
-
cpe:2.3:a:eclipse:jetty:7.6.4
-
cpe:2.3:a:eclipse:jetty:7.6.5
-
cpe:2.3:a:eclipse:jetty:7.6.6
-
cpe:2.3:a:eclipse:jetty:7.6.7
-
cpe:2.3:a:eclipse:jetty:7.6.8
-
cpe:2.3:a:eclipse:jetty:7.6.9
-
cpe:2.3:a:eclipse:jetty:8-historical
-
cpe:2.3:a:eclipse:jetty:8.0.0
-
cpe:2.3:a:eclipse:jetty:8.0.1
-
cpe:2.3:a:eclipse:jetty:8.0.2
-
cpe:2.3:a:eclipse:jetty:8.0.3
-
cpe:2.3:a:eclipse:jetty:8.0.4
-
cpe:2.3:a:eclipse:jetty:8.1.0
-
cpe:2.3:a:eclipse:jetty:8.1.1
-
cpe:2.3:a:eclipse:jetty:8.1.10
-
cpe:2.3:a:eclipse:jetty:8.1.11
-
cpe:2.3:a:eclipse:jetty:8.1.12
-
cpe:2.3:a:eclipse:jetty:8.1.13
-
cpe:2.3:a:eclipse:jetty:8.1.14
-
cpe:2.3:a:eclipse:jetty:8.1.15
-
cpe:2.3:a:eclipse:jetty:8.1.16
-
cpe:2.3:a:eclipse:jetty:8.1.17
-
cpe:2.3:a:eclipse:jetty:8.1.18
-
cpe:2.3:a:eclipse:jetty:8.1.19
-
cpe:2.3:a:eclipse:jetty:8.1.2
-
cpe:2.3:a:eclipse:jetty:8.1.20
-
cpe:2.3:a:eclipse:jetty:8.1.21
-
cpe:2.3:a:eclipse:jetty:8.1.22
-
cpe:2.3:a:eclipse:jetty:8.1.3
-
cpe:2.3:a:eclipse:jetty:8.1.4
-
cpe:2.3:a:eclipse:jetty:8.1.5
-
cpe:2.3:a:eclipse:jetty:8.1.6
-
cpe:2.3:a:eclipse:jetty:8.1.7
-
cpe:2.3:a:eclipse:jetty:8.1.8
-
cpe:2.3:a:eclipse:jetty:8.1.9
-
cpe:2.3:a:eclipse:jetty:8.2.0
-
cpe:2.3:a:eclipse:jetty:9.0.0
-
cpe:2.3:a:eclipse:jetty:9.0.1
-
cpe:2.3:a:eclipse:jetty:9.0.2
-
cpe:2.3:a:eclipse:jetty:9.0.3
-
cpe:2.3:a:eclipse:jetty:9.0.4
-
cpe:2.3:a:eclipse:jetty:9.0.5
-
cpe:2.3:a:eclipse:jetty:9.0.6
-
cpe:2.3:a:eclipse:jetty:9.0.7
-
cpe:2.3:a:eclipse:jetty:9.1.0
-
cpe:2.3:a:eclipse:jetty:9.1.1
-
cpe:2.3:a:eclipse:jetty:9.1.2
-
cpe:2.3:a:eclipse:jetty:9.1.3
-
cpe:2.3:a:eclipse:jetty:9.1.4
-
cpe:2.3:a:eclipse:jetty:9.1.5
-
cpe:2.3:a:eclipse:jetty:9.1.6
-
cpe:2.3:a:eclipse:jetty:9.2.0
-
cpe:2.3:a:eclipse:jetty:9.2.1
-
cpe:2.3:a:eclipse:jetty:9.2.10
-
cpe:2.3:a:eclipse:jetty:9.2.11
-
cpe:2.3:a:eclipse:jetty:9.2.12
-
cpe:2.3:a:eclipse:jetty:9.2.13
-
cpe:2.3:a:eclipse:jetty:9.2.14
-
cpe:2.3:a:eclipse:jetty:9.2.15
-
cpe:2.3:a:eclipse:jetty:9.2.16
-
cpe:2.3:a:eclipse:jetty:9.2.17
-
cpe:2.3:a:eclipse:jetty:9.2.18
-
cpe:2.3:a:eclipse:jetty:9.2.19
-
cpe:2.3:a:eclipse:jetty:9.2.2
-
cpe:2.3:a:eclipse:jetty:9.2.20
-
cpe:2.3:a:eclipse:jetty:9.2.21
-
cpe:2.3:a:eclipse:jetty:9.2.22
-
cpe:2.3:a:eclipse:jetty:9.2.23
-
cpe:2.3:a:eclipse:jetty:9.2.24
-
cpe:2.3:a:eclipse:jetty:9.2.25
-
cpe:2.3:a:eclipse:jetty:9.2.26
-
cpe:2.3:a:eclipse:jetty:9.2.3
-
cpe:2.3:a:eclipse:jetty:9.2.4
-
cpe:2.3:a:eclipse:jetty:9.2.5
-
cpe:2.3:a:eclipse:jetty:9.2.6
-
cpe:2.3:a:eclipse:jetty:9.2.7
-
cpe:2.3:a:eclipse:jetty:9.2.8
-
cpe:2.3:a:eclipse:jetty:9.2.9
-
cpe:2.3:a:eclipse:jetty:9.3.0
-
cpe:2.3:a:eclipse:jetty:9.3.1
-
cpe:2.3:a:eclipse:jetty:9.3.10
-
cpe:2.3:a:eclipse:jetty:9.3.11
-
cpe:2.3:a:eclipse:jetty:9.3.12
-
cpe:2.3:a:eclipse:jetty:9.3.13
-
cpe:2.3:a:eclipse:jetty:9.3.14
-
cpe:2.3:a:eclipse:jetty:9.3.15
-
cpe:2.3:a:eclipse:jetty:9.3.16
-
cpe:2.3:a:eclipse:jetty:9.3.17
-
cpe:2.3:a:eclipse:jetty:9.3.18
-
cpe:2.3:a:eclipse:jetty:9.3.19
-
cpe:2.3:a:eclipse:jetty:9.3.2
-
cpe:2.3:a:eclipse:jetty:9.3.20
-
cpe:2.3:a:eclipse:jetty:9.3.21
-
cpe:2.3:a:eclipse:jetty:9.3.22
-
cpe:2.3:a:eclipse:jetty:9.3.23
-
cpe:2.3:a:eclipse:jetty:9.3.3
-
cpe:2.3:a:eclipse:jetty:9.3.4
-
cpe:2.3:a:eclipse:jetty:9.3.5
-
cpe:2.3:a:eclipse:jetty:9.3.6
-
cpe:2.3:a:eclipse:jetty:9.3.7
-
cpe:2.3:a:eclipse:jetty:9.3.8
-
cpe:2.3:a:eclipse:jetty:9.3.9
-
cpe:2.3:a:eclipse:jetty:9.4.0
-
cpe:2.3:a:eclipse:jetty:9.4.1
-
cpe:2.3:a:eclipse:jetty:9.4.10
-
cpe:2.3:a:eclipse:jetty:9.4.2
-
cpe:2.3:a:eclipse:jetty:9.4.3
-
cpe:2.3:a:eclipse:jetty:9.4.4
-
cpe:2.3:a:eclipse:jetty:9.4.5
-
cpe:2.3:a:eclipse:jetty:9.4.6
-
cpe:2.3:a:eclipse:jetty:9.4.7
-
cpe:2.3:a:eclipse:jetty:9.4.8
-
cpe:2.3:a:eclipse:jetty:9.4.9
-
cpe:2.3:a:hp:xp_p9000_command_view:8.4.0-00
-
cpe:2.3:a:hp:xp_p9000_command_view:8.6.2-00
-
cpe:2.3:a:netapp:e-series_santricity_management:-
-
cpe:2.3:a:netapp:e-series_santricity_os_controller:11.0
-
cpe:2.3:a:netapp:e-series_santricity_os_controller:11.0.0
-
cpe:2.3:a:netapp:e-series_santricity_os_controller:11.20
-
cpe:2.3:a:netapp:e-series_santricity_os_controller:11.25
-
cpe:2.3:a:netapp:e-series_santricity_os_controller:11.30
-
cpe:2.3:a:netapp:e-series_santricity_os_controller:11.30.5r3
-
cpe:2.3:a:netapp:e-series_santricity_os_controller:11.40
-
cpe:2.3:a:netapp:e-series_santricity_os_controller:11.40.3r2
-
cpe:2.3:a:netapp:e-series_santricity_os_controller:11.40.5
-
cpe:2.3:a:netapp:e-series_santricity_os_controller:11.50.1
-
cpe:2.3:a:netapp:e-series_santricity_web_services:-
-
cpe:2.3:a:netapp:hci_management_node:-
-
cpe:2.3:a:netapp:hci_storage_node:-
-
cpe:2.3:a:netapp:oncommand_system_manager:3.0
-
cpe:2.3:a:netapp:oncommand_system_manager:3.0.0
-
cpe:2.3:a:netapp:oncommand_system_manager:3.1
-
cpe:2.3:a:netapp:oncommand_system_manager:3.1.1
-
cpe:2.3:a:netapp:oncommand_system_manager:3.1.2
-
cpe:2.3:a:netapp:oncommand_system_manager:3.1.3
-
cpe:2.3:a:netapp:oncommand_unified_manager_for_7-mode:-
-
cpe:2.3:a:netapp:santricity_cloud_connector:-
-
cpe:2.3:a:netapp:snap_creator_framework:-
-
cpe:2.3:a:netapp:snapcenter:-
-
cpe:2.3:a:netapp:snapmanager:-
-
cpe:2.3:a:netapp:solidfire:-
-
cpe:2.3:a:netapp:storage_services_connector:-
-
cpe:2.3:a:oracle:rest_data_services:11.2.0.4
-
cpe:2.3:a:oracle:rest_data_services:12.1.0.2
-
cpe:2.3:a:oracle:rest_data_services:12.2.0.1
-
cpe:2.3:a:oracle:rest_data_services:18c
-
cpe:2.3:a:oracle:retail_xstore_payment:3.3
-
cpe:2.3:a:oracle:retail_xstore_point_of_service:15.0
-
cpe:2.3:a:oracle:retail_xstore_point_of_service:16.0
-
cpe:2.3:a:oracle:retail_xstore_point_of_service:17.0
-
cpe:2.3:a:oracle:retail_xstore_point_of_service:7.1
-
cpe:2.3:h:hp:xp_p9000:-
-
cpe:2.3:o:debian:debian_linux:9.0