CVE-2017-7658
- Source
- https://cve.org/CVERecord?id=CVE-2017-7658
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2017-7658.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2017-7658
- Aliases
- Downstream
- Published
- 2018-06-26T17:29:00.210Z
- Modified
- 2026-04-10T04:00:58.531335Z
- Severity
-
- 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- [none]
- Details
-
In Eclipse Jetty Server, versions 9.2.x and older, 9.3.x (all non HTTP/1.x configurations), and 9.4.x (all HTTP/1.x configurations), when presented with two content-lengths headers, Jetty ignored the second. When presented with a content-length and a chunked encoding header, the content-length was ignored (as per RFC 2616). If an intermediary decided on the shorter length, but still passed on the longer body, then body content could be interpreted by Jetty as a pipelined request. If the intermediary was imposing authorization, the fake pipelined request would bypass that authorization.
- References
-
- https://lists.apache.org/thread.html/r9159c9e7ec9eac1613da2dbaddbc15691a13d4dbb2c8be974f42e6ae%40%3Ccommits.druid.apache.org%3E
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe%40%3Ccommits.druid.apache.org%3E
- https://lists.apache.org/thread.html/053d9ce4d579b02203db18545fee5e33f35f2932885459b74d1e4272%40%3Cissues.activemq.apache.org%3E
- https://lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451%40%3Csolr-user.lucene.apache.org%3E
- https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0%40%3Cissues.bookkeeper.apache.org%3E
- https://lists.apache.org/thread.html/r41af10c4adec8d34a969abeb07fd0d6ad0c86768b751464f1cdd23e8%40%3Ccommits.druid.apache.org%3E
- https://lists.apache.org/thread.html/ra6f956ed4ec2855583b2d0c8b4802b450f593d37b77509b48cd5d574%40%3Ccommits.druid.apache.org%3E
- https://www.oracle.com/security-alerts/cpuoct2020.html
- http://www.securitytracker.com/id/1041194
- https://bugs.eclipse.org/bugs/show_bug.cgi?id=535669
- https://security.netapp.com/advisory/ntap-20181014-0001/
- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbst03953en_us
- http://www.securityfocus.com/bid/106566
- https://www.debian.org/security/2018/dsa-4278
- https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html
- https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
Affected packages
Git / github.com/eclipse/jetty.project
Affected ranges
- Type
- GIT
- Repo
- https://github.com/eclipse/jetty.project
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedLast affectedIntroducedFixedIntroducedFixedIntroduced0 Unknown introduced commit / All previous commits are affectedLast affected
- Database specific
{ "versions": [ { "introduced": "0" }, { "last_affected": "9.2.26" }, { "introduced": "9.3.0" }, { "fixed": "9.3.24" }, { "introduced": "9.4.0" }, { "fixed": "9.4.11" }, { "introduced": "0" }, { "last_affected": "9.0" } ] }
Affected versions
jetty-8.*
jetty-8.0.0.RC0
jetty-8.1.0.RC0
jetty-9.*
jetty-9.0.x
jetty-9.1.0.M0
jetty-9.1.0.RC0
jetty-9.1.0.RC1
jetty-9.1.0.RC2
jetty-9.1.0.v20131115
jetty-9.1.1.v20140108
jetty-9.1.2.v20140210
jetty-9.1.3.v20140225
jetty-9.1.4.v20140401
jetty-9.2.0.M0
jetty-9.2.0.M1
jetty-9.2.0.RC0
jetty-9.2.0.v20140523
jetty-9.2.0.v20140526
jetty-9.2.1.v20140609
jetty-9.2.10.v20150310
jetty-9.2.11.M0
jetty-9.2.11.v20150528
jetty-9.2.11.v20150529
jetty-9.2.12.M0
jetty-9.2.12.v20150709
jetty-9.2.13.v20150730
jetty-9.2.15.v20160210
jetty-9.2.18.v20160721
jetty-9.2.19.v20160908
jetty-9.2.2.v20140723
jetty-9.2.20.v20161216
jetty-9.2.21.v20170120
jetty-9.2.22.v20170606
jetty-9.2.23.v20171218
jetty-9.2.26.v20180806
jetty-9.2.3.v20140905
jetty-9.2.4.v20141103
jetty-9.2.5.v20141112
jetty-9.2.6.v20141203
jetty-9.2.6.v20141205
jetty-9.2.7.v20150116
jetty-9.2.8.v20150217
jetty-9.2.9.v20150224
jetty-9.3.13.M0
jetty-9.3.17.v20170317
jetty-9.3.18.v20170406
jetty-9.3.19.v20170502
jetty-9.3.23.v20180228
jetty-9.3.4.v20151007
jetty-9.3.7.RC1
jetty-9.3.7.v20160115
jetty-9.4.10.v20180503
jetty-9.4.2.v20170220
jetty-9.4.6.v20170531
Database specific
unresolved_ranges
[
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "11.2.0.4"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "12.1.0.2"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "12.2.0.1"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "18c"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "3.3"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "7.1"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "15.0"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "16.0"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "17.0"
}
]
},
{
"events": [
{
"introduced": "8.4.0-00"
},
{
"last_affected": "8.6.2-00"
}
]
},
{
"events": [
{
"introduced": "11.0"
},
{
"last_affected": "11.50.1"
}
]
},
{
"events": [
{
"introduced": "3.0"
},
{
"last_affected": "3.1.3"
}
]
}
]
source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2017-7658.json"