Home

CVE-2017-7656

Description

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), HTTP/0.9 is handled poorly. An HTTP/1 style request line (i.e. method space URI space version) that declares a version of HTTP/0.9 was accepted and treated as a 0.9 request. If deployed behind an intermediary that also accepted and passed through the 0.9 version (but did not act on it), then the response sent could be interpreted by the intermediary as HTTP/1 headers. This could be used to poison the cache if the server allowed the origin client to generate arbitrary content in the response.

Risk Information

Base Score
7.5
MODERATE
Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
EPSS Score
Exploitation Probability
7.767

Associated Vulnerability

VulnerabilityOS Platform
Vulnerabilities CVE-2017-7658,CVE-2017-7656,CVE-2018-12536,CVE-2017-7657 are fixed in Eclipse-jetty-server 9.3.24Windows
Vulnerabilities CVE-2017-7658,CVE-2017-7656,CVE-2018-12536,CVE-2018-12538 are fixed in Eclipse-jetty-server 9.4.11Windows
Multiple Vulnerabilities are affected in IBM Security Verify Directory Integrator 10.0.0Windows
Multiple Vulnerabilities are affected in IBM Sterling B2B Integrator 5.2.6.3Windows
Multiple Vulnerabilities are affected in IBM Cognos Analytics 11.0Windows
Multiple Vulnerabilities are affected in IBM Cognos Analytics 11.1Windows
Multiple Vulnerabilities are affected in IBM UrbanCode Deploy 6.2.7.3Windows
Multiple Vulnerabilities are affected in IBM Business Automation Workflow 24.0.1Windows
Vulnerabilities CVE-2017-7656,CVE-2017-7657,CVE-2017-7658 are affected in IBM UrbanCode Deploy 6.1.3.9Windows
Vulnerabilities CVE-2017-7656,CVE-2017-7657,CVE-2017-7658,CVE-2018-11784 are affected in IBM UrbanCode Deploy 7.0.1.1Windows
jetty9 security update(DSA-4278-1) jetty9_9.2.21-1+deb9u1_all.debLinux
Vulnerabilities CVE-2017-7658,CVE-2017-7656,CVE-2018-12536,CVE-2017-7657 are fixed in Eclipse-jetty-server for Linux 9.3.24Linux
Vulnerabilities CVE-2017-7658,CVE-2017-7656,CVE-2018-12536,CVE-2018-12538 are fixed in Eclipse-jetty-server for Linux 9.4.11Linux
CVE-2017-7656NCM

Patch Details

No records found

References

https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234