CVE-2017-7658
CVSS v3.1
9.8 (Critical)
CVSS v2.0
7.5 (High)
EPSS
1.09 % (85th)
Affected Products
20
Advisories
4
In Eclipse Jetty Server, versions 9.2.x and older, 9.3.x (all non HTTP/1.x configurations), and 9.4.x (all HTTP/1.x configurations), when presented with two content-lengths headers, Jetty ignored the second. When presented with a content-length and a chunked encoding header, the content-length was ignored (as per RFC 2616). If an intermediary decided on the shorter length, but still passed on the longer body, then body content could be interpreted by Jetty as a pipelined request. If the intermediary was imposing authorization, the fake pipelined request would bypass that authorization.
Weaknesses
- CWE-444
- Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
- CVE Status
- PUBLISHED
- CNA
- Eclipse Foundation
- Published Date
-
2018-06-26 17:29:00
(6 years ago) - Updated Date
-
2023-11-07 02:50:13
(10 months ago)
Affected Products
- E-series Santricity Management
- E-series Santricity Os Controller
- E-series Santricity Web Services
- Hci Management Node
- Hci Storage Node
- Oncommand System Manager
- Oncommand Unified Manager For 7-mode
- Santricity Cloud Connector
- Snapcenter
- Snapmanager
- Snap Creator Framework
- Solidfire
- Storage Services Connector
Loading...
Loading...
Loading...
Configuration #1
|
Configuration #2
|
Configuration #3
|
Configuration #4
AND |
|
---|
Configuration #5
|
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...