Home

CVE-2017-7657

Description

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), transfer-encoding chunks are handled poorly. The chunk length parsing was vulnerable to an integer overflow. Thus a large chunk size could be interpreted as a smaller chunk size and content sent as chunk body could be interpreted as a pipelined request. If Jetty was deployed behind an intermediary that imposed some authorization and that intermediary allowed arbitrarily large chunks to be passed on unchanged, then this flaw could be used to bypass the authorization imposed by the intermediary as the fake pipelined request would not be interpreted by the intermediary as a request.

Risk Information

Base Score
9.8
MODERATE
Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score
Exploitation Probability
9.096

Associated Vulnerability

VulnerabilityOS Platform
Vulnerabilities CVE-2017-7658,CVE-2017-7656,CVE-2018-12536,CVE-2017-7657 are fixed in Eclipse-jetty-server 9.3.24Windows
Vulnerabilities CVE-2017-7658,CVE-2017-7657 are fixed in Eclipse-jetty-server 9.2.25Windows
Vulnerabilities CVE-2017-7657 are affected in Netapp Snapcenter *Windows
Multiple Vulnerabilities are affected in IBM Security Verify Directory Integrator 10.0.0Windows
Multiple Vulnerabilities are affected in IBM Sterling B2B Integrator 5.2.6.3Windows
Multiple Vulnerabilities are affected in IBM Cognos Analytics 11.0Windows
Multiple Vulnerabilities are affected in IBM Cognos Analytics 11.1Windows
Multiple Vulnerabilities are affected in IBM UrbanCode Deploy 6.2.7.3Windows
Multiple Vulnerabilities are affected in IBM Business Automation Workflow 24.0.1Windows
Vulnerabilities CVE-2017-7656,CVE-2017-7657,CVE-2017-7658 are affected in IBM UrbanCode Deploy 6.1.3.9Windows
Vulnerabilities CVE-2017-7656,CVE-2017-7657,CVE-2017-7658,CVE-2018-11784 are affected in IBM UrbanCode Deploy 7.0.1.1Windows
jetty9 security update(DSA-4278-1) jetty9_9.2.21-1+deb9u1_all.debLinux
Vulnerabilities CVE-2017-7658,CVE-2017-7656,CVE-2018-12536,CVE-2017-7657 are fixed in Eclipse-jetty-server for Linux 9.3.24Linux
Vulnerabilities CVE-2017-7658,CVE-2017-7657 are fixed in Eclipse-jetty-server for Linux 9.2.25Linux
Inconsistent Interpretation of HTTP Requests (HTTP Request/Response Smuggling) Vulnerability (CVE-2017-7657)NCM

Patch Details

No records found

References

https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234