1. Home
  2. Vulnerabilities
  3. CVE-2017-7658

CVE-2017-7658

CVSS v3.1 9.8 (Critical)
98% Progress
CVSS v2.0 7.5 (High)
75% Progress
EPSS 1.09 % (85th)
1.09% Progress
Affected Products 20
Advisories 4
Info CVSS EPSS CAPEC Affected Configurations References Security Advisories Packages & Software OVAL Tools, Exploits & PoC Graph Web & Social Timeline

In Eclipse Jetty Server, versions 9.2.x and older, 9.3.x (all non HTTP/1.x configurations), and 9.4.x (all HTTP/1.x configurations), when presented with two content-lengths headers, Jetty ignored the second. When presented with a content-length and a chunked encoding header, the content-length was ignored (as per RFC 2616). If an intermediary decided on the shorter length, but still passed on the longer body, then body content could be interpreted by Jetty as a pipelined request. If the intermediary was imposing authorization, the fake pipelined request would bypass that authorization.

Weaknesses
CWE-444
Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
CVE Status
PUBLISHED
CNA
Eclipse Foundation
Published Date
2018-06-26 17:29:00
(6 years ago)
Updated Date
2023-11-07 02:50:13
(10 months ago)

Affected Products

Debian

Eclipse

Hp

Netapp

Oracle

Configuration #1

    CPE23 From Up To
  Eclipse Jetty 9.2.26 and prior versions cpe:2.3:a:eclipse:jetty <= 9.2.26
  Eclipse Jetty from 9.3.0 version and prior 9.3.24 version cpe:2.3:a:eclipse:jetty >= 9.3.0 < 9.3.24
  Eclipse Jetty from 9.4.0 version and prior 9.4.11 version cpe:2.3:a:eclipse:jetty >= 9.4.0 < 9.4.11

Configuration #2

    CPE23 From Up To
  Debian Linux 9.0 cpe:2.3:o:debian:debian_linux:9.0

Configuration #3

    CPE23 From Up To
  Oracle Rest Data Services 11.2.0.4 cpe:2.3:a:oracle:rest_data_services:11.2.0.4:*:*:*:-
  Oracle Rest Data Services 12.1.0.2 cpe:2.3:a:oracle:rest_data_services:12.1.0.2:*:*:*:-
  Oracle Rest Data Services 12.2.0.1 cpe:2.3:a:oracle:rest_data_services:12.2.0.1:*:*:*:-
  Oracle Rest Data Services 18c cpe:2.3:a:oracle:rest_data_services:18c:*:*:*:-
  Oracle Retail Xstore Payment 3.3 cpe:2.3:a:oracle:retail_xstore_payment:3.3
  Oracle Retail Xstore Point Of Service 7.1 cpe:2.3:a:oracle:retail_xstore_point_of_service:7.1
  Oracle Retail Xstore Point Of Service 15.0 cpe:2.3:a:oracle:retail_xstore_point_of_service:15.0
  Oracle Retail Xstore Point Of Service 16.0 cpe:2.3:a:oracle:retail_xstore_point_of_service:16.0
  Oracle Retail Xstore Point Of Service 17.0 cpe:2.3:a:oracle:retail_xstore_point_of_service:17.0

Configuration #4

AND
    CPE23 From Up To
OR  
  Hp Xp P9000 Command View from 8.4.0-00 version and 8.6.2-00 and prior versions cpe:2.3:a:hp:xp_p9000_command_view::*:*:*:advanced >= 8.4.0-00 <= 8.6.2-00
OR  
  Running on/with
  Hp Xp P9000 cpe:2.3:h:hp:xp_p9000:-

Configuration #5

    CPE23 From Up To
  Netapp E-series Santricity Management cpe:2.3:a:netapp:e-series_santricity_management:-
  Netapp E-series Santricity Os Controller from 11.0 version and 11.50.1 and prior versions cpe:2.3:a:netapp:e-series_santricity_os_controller >= 11.0 <= 11.50.1
  Netapp E-series Santricity Web Services cpe:2.3:a:netapp:e-series_santricity_web_services:-
  Netapp Hci Management Node cpe:2.3:a:netapp:hci_management_node:-
  Netapp Hci Storage Node cpe:2.3:a:netapp:hci_storage_node:-
  Netapp Oncommand System Manager from 3.0 version and 3.1.3 and prior versions cpe:2.3:a:netapp:oncommand_system_manager >= 3.0 <= 3.1.3
  Netapp Oncommand Unified Manager for 7-mode cpe:2.3:a:netapp:oncommand_unified_manager_for_7-mode:-
  Netapp Santricity Cloud Connector cpe:2.3:a:netapp:santricity_cloud_connector:-
  Netapp Snap Creator Framework cpe:2.3:a:netapp:snap_creator_framework:-
  Netapp Snapcenter cpe:2.3:a:netapp:snapcenter:-
  Netapp Snapmanager for Oracle cpe:2.3:a:netapp:snapmanager:-:*:*:*:*:oracle
  Netapp Snapmanager for Sap cpe:2.3:a:netapp:snapmanager:-:*:*:*:*:sap
  Netapp Solidfire cpe:2.3:a:netapp:solidfire:-
  Netapp Storage Services Connector cpe:2.3:a:netapp:storage_services_connector:-