CVE-2017-7656: XSS
First published: Tue Jun 26 2018(Updated: )
Eclipse Jetty is vulnerable to HTTP request smuggling, caused by a flaw in the HTTP/1.x Parser. By sending a specially-crafted request, an attacker could exploit this vulnerability to poison the web cache, bypass web application firewall protection, and conduct XSS attacks.
Credit: emo@eclipse.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| debian/jetty9 | 9.4.16-0+deb10u1 9.4.16-0+deb10u3 9.4.39-3+deb11u2 9.4.50-4+deb12u1 9.4.53-1 | |
| Eclipse Jetty | <=9.2.26 | |
| Eclipse Jetty | >=9.3.0<9.3.24 | |
| Eclipse Jetty | >=9.4.0<9.4.11 | |
| Debian Debian Linux | =9.0 | |
| IBM GDE | <=3.0.0.2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://bugs.eclipse.org/bugs/show_bug.cgi?id=535667
- https://github.com/eclipse/jetty.project/commit/a285deea
- https://security-tracker.debian.org/tracker/CVE-2017-7656
- http://www.securitytracker.com/id/1041194
- https://lists.apache.org/thread.html/053d9ce4d579b02203db18545fee5e33f35f2932885459b74d1e4272@%3Cissues.activemq.apache.org%3E
- https://lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451@%3Csolr-user.lucene.apache.org%3E
- https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe@%3Ccommits.druid.apache.org%3E
- https://lists.apache.org/thread.html/rbf4565a0b63f9c8b07fab29352a97bbffe76ecafed8b8555c15b83c6@%3Cissues.maven.apache.org%3E
- https://security.netapp.com/advisory/ntap-20181014-0001/
- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbst03953en_us
- https://www.debian.org/security/2018/dsa-4278
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
- https://exchange.xforce.ibmcloud.com/vulnerabilities/145520
- https://www.ibm.com/support/pages/node/6320835 (Advisory)
- https://lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451%40%3Csolr-user.lucene.apache.org%3E
- https://lists.apache.org/thread.html/053d9ce4d579b02203db18545fee5e33f35f2932885459b74d1e4272%40%3Cissues.activemq.apache.org%3E
- https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe%40%3Ccommits.druid.apache.org%3E
- https://lists.apache.org/thread.html/rbf4565a0b63f9c8b07fab29352a97bbffe76ecafed8b8555c15b83c6%40%3Cissues.maven.apache.org%3E
Frequently Asked Questions
What is the vulnerability ID?
The vulnerability ID is CVE-2017-7656.
What is the severity of CVE-2017-7656?
The severity of CVE-2017-7656 is high with a severity value of 7.5.
How does CVE-2017-7656 affect Eclipse Jetty?
CVE-2017-7656 affects Eclipse Jetty versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled).
What is the risk of CVE-2017-7656?
CVE-2017-7656 poses a risk of HTTP request smuggling due to a flaw in the HTTP/1.x Parser.
How can I mitigate the CVE-2017-7656 vulnerability?
To mitigate the CVE-2017-7656 vulnerability, update to a version of Jetty that is not affected by the vulnerability.
- collector/security-tracker-debian
- collector/nvd-index
- agent/type
- agent/first-publish-date
- agent/author
- agent/weakness
- agent/severity
- agent/description
- agent/last-modified-date
- agent/event
- collector/ibm-support
- source/IBM
- agent/software-canonical-lookup
- agent/references
- agent/softwarecombine
- agent/tags
- collector/mitre-cve
- source/MITRE
- package-manager/debian
- vendor/eclipse
- canonical/eclipse jetty
- version/eclipse jetty/9.2.26
- version/eclipse jetty/9.3.0
- version/eclipse jetty/9.4.0
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/9.0
- vendor/ibm
- canonical/ibm gde
- version/ibm gde/3.0.0.2