CVE-2017-7658
Description
In Eclipse Jetty Server, versions 9.2.x and older, 9.3.x (all non HTTP/1.x configurations), and 9.4.x (all HTTP/1.x configurations), when presented with two content-lengths headers, Jetty ignored the second. When presented with a content-length and a chunked encoding header, the content-length was ignored (as per RFC 2616). If an intermediary decided on the shorter length, but still passed on the longer body, then body content could be interpreted by Jetty as a pipelined request. If the intermediary was imposing authorization, the fake pipelined request would bypass that authorization.
Risk Information
Base Score
9.8
MODERATE
Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score
Exploitation Probability
8.69
Associated Vulnerability
| Vulnerability | OS Platform |
|---|---|
| Vulnerabilities CVE-2017-7658,CVE-2017-7656,CVE-2018-12536,CVE-2017-7657 are fixed in Eclipse-jetty-server 9.3.24 | Windows |
| Vulnerabilities CVE-2017-7658,CVE-2017-7656,CVE-2018-12536,CVE-2018-12538 are fixed in Eclipse-jetty-server 9.4.11 | Windows |
| Vulnerabilities CVE-2017-7658,CVE-2017-7657 are fixed in Eclipse-jetty-server 9.2.25 | Windows |
| Multiple Vulnerabilities are affected in IBM Security Verify Directory Integrator 10.0.0 | Windows |
| Multiple Vulnerabilities are affected in Netapp Snapcenter 2.3 | Windows |
| Multiple Vulnerabilities are affected in IBM Sterling B2B Integrator 5.2.6.3 | Windows |
| Multiple Vulnerabilities are affected in IBM Cognos Analytics 11.0 | Windows |
| Multiple Vulnerabilities are affected in IBM Cognos Analytics 11.1 | Windows |
| Multiple Vulnerabilities are affected in IBM UrbanCode Deploy 6.2.7.3 | Windows |
| Vulnerabilities CVE-2017-7656,CVE-2017-7657,CVE-2017-7658 are affected in IBM UrbanCode Deploy 6.1.3.9 | Windows |
| Vulnerabilities CVE-2017-7656,CVE-2017-7657,CVE-2017-7658,CVE-2018-11784 are affected in IBM UrbanCode Deploy 7.0.1.1 | Windows |
| jetty9 security update(DSA-4278-1) jetty9_9.2.21-1+deb9u1_all.deb | Linux |
| Vulnerabilities CVE-2017-7658,CVE-2017-7656,CVE-2018-12536,CVE-2017-7657 are fixed in Eclipse-jetty-server for Linux 9.3.24 | Linux |
| Vulnerabilities CVE-2017-7658,CVE-2017-7656,CVE-2018-12536,CVE-2018-12538 are fixed in Eclipse-jetty-server for Linux 9.4.11 | Linux |
| Vulnerabilities CVE-2017-7658,CVE-2017-7657 are fixed in Eclipse-jetty-server for Linux 9.2.25 | Linux |
| Inconsistent Interpretation of HTTP Requests (HTTP Request/Response Smuggling) Vulnerability (CVE-2017-7658) | NCM |
Patch Details
No records foundReferences
https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234