Vulnerability Description
In Eclipse Jetty Server, versions 9.2.x and older, 9.3.x (all non HTTP/1.x configurations), and 9.4.x (all HTTP/1.x configurations), when presented with two content-lengths headers, Jetty ignored the second. When presented with a content-length and a chunked encoding header, the content-length was ignored (as per RFC 2616). If an intermediary decided on the shorter length, but still passed on the longer body, then body content could be interpreted by Jetty as a pipelined request. If the intermediary was imposing authorization, the fake pipelined request would bypass that authorization.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Eclipse | Jetty | <= 9.2.26 |
| Debian | Debian Linux | 9.0 |
| Oracle | Rest Data Services | 11.2.0.4 |
| Oracle | Retail Xstore Payment | 3.3 |
| Oracle | Retail Xstore Point Of Service | 7.1 |
| Hp | Xp P9000 Command View | >= 8.4.0-00, <= 8.6.2-00 |
| Hp | Xp P9000 | - |
| Netapp | E-Series Santricity Management | - |
| Netapp | E-Series Santricity Os Controller | >= 11.0, <= 11.50.1 |
| Netapp | E-Series Santricity Web Services | - |
| Netapp | Hci Management Node | - |
| Netapp | Hci Storage Node | - |
| Netapp | Oncommand System Manager | >= 3.0, <= 3.1.3 |
| Netapp | Oncommand Unified Manager For 7-Mode | - |
| Netapp | Santricity Cloud Connector | - |
| Netapp | Snap Creator Framework | - |
| Netapp | Snapcenter | - |
| Netapp | Snapmanager | - |
| Netapp | Solidfire | - |
| Netapp | Storage Services Connector | - |
Related Weaknesses (CWE)
References
- http://www.securityfocus.com/bid/106566Third Party AdvisoryVDB Entry
- http://www.securitytracker.com/id/1041194Third Party AdvisoryVDB Entry
- https://bugs.eclipse.org/bugs/show_bug.cgi?id=535669Third Party Advisory
- https://lists.apache.org/thread.html/053d9ce4d579b02203db18545fee5e33f35f2932885
- https://lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c24
- https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b667
- https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab
- https://lists.apache.org/thread.html/r41af10c4adec8d34a969abeb07fd0d6ad0c86768b7
- https://lists.apache.org/thread.html/r9159c9e7ec9eac1613da2dbaddbc15691a13d4dbb2
- https://lists.apache.org/thread.html/ra6f956ed4ec2855583b2d0c8b4802b450f593d37b7
- https://security.netapp.com/advisory/ntap-20181014-0001/Third Party Advisory
- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpeThird Party Advisory
- https://www.debian.org/security/2018/dsa-4278Third Party Advisory
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://www.oracle.com/security-alerts/cpuoct2020.htmlThird Party Advisory
FAQ
What is CVE-2017-7658?
CVE-2017-7658 is a vulnerability with a CVSS score of 9.8 (CRITICAL). In Eclipse Jetty Server, versions 9.2.x and older, 9.3.x (all non HTTP/1.x configurations), and 9.4.x (all HTTP/1.x configurations), when presented with two content-lengths headers, Jetty ignored the ...
How severe is CVE-2017-7658?
CVE-2017-7658 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2017-7658?
Check the references section above for vendor advisories and patch information. Affected products include: Eclipse Jetty, Debian Debian Linux, Oracle Rest Data Services, Oracle Retail Xstore Payment, Oracle Retail Xstore Point Of Service.