First published: Tue Jun 26 2018(Updated: )
Eclipse Jetty is vulnerable to HTTP request smuggling, caused by improper handling of Chunked Transfer-Encoding chunk size. By sending a specially-crafted request, an attacker could exploit this vulnerability to poison the web cache, bypass web application firewall protection, and conduct XSS attacks.
Credit: emo@eclipse.org
Affected Software | Affected Version | How to fix |
---|---|---|
debian/jetty9 | 9.4.16-0+deb10u1 9.4.16-0+deb10u3 9.4.39-3+deb11u2 9.4.50-4+deb12u1 9.4.53-1 | |
redhat/jetty | <9.3.24. | 9.3.24. |
redhat/jetty | <9.4.11. | 9.4.11. |
Eclipse Jetty | <=9.2.26 | |
Eclipse Jetty | >=9.3.0<9.3.24 | |
Eclipse Jetty | >=9.4.0<9.4.11 | |
Debian Debian Linux | =9.0 | |
Netapp E-series Santricity Management | ||
NetApp E-Series SANtricity OS Controller | >=11.0<=11.50.1 | |
Netapp E-series Santricity Web Services | ||
Netapp Element Software | ||
Netapp Element Software Management Node | ||
Netapp Hci Storage Nodes | ||
NetApp OnCommand System Manager | =3.x | |
Netapp Oncommand Unified Manager | <5.2.4 | |
Netapp Santricity Cloud Connector | ||
NetApp Snap Creator Framework | <4.3.3 | |
Netapp Snapcenter | <4.1p3 | |
Netapp Snapmanager Oracle | <3.4.2 | |
Netapp Snapmanager Sap | <3.4.2 | |
Hp Xp P9000 Command View | >=8.4.0-00<8.6.2-00 | |
Hp Xp P9000 | ||
Oracle REST Data Services | =11.2.0.4 | |
Oracle REST Data Services | =12.1.0.2 | |
Oracle REST Data Services | =12.2.0.1 | |
Oracle REST Data Services | =18c | |
Oracle Retail Xstore Point of Service | =7.1 | |
Oracle Retail Xstore Point of Service | =15.0 | |
Oracle Retail Xstore Point of Service | =16.0 | |
Oracle Retail Xstore Point of Service | =17.0 | |
IBM GDE | <=3.0.0.2 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2017-7657 is a vulnerability in Eclipse Jetty that allows for HTTP request smuggling due to improper handling of Chunked Transfer-Encoding.
The severity level of CVE-2017-7657 is critical.
To fix the CVE-2017-7657 vulnerability, update to Eclipse Jetty version 9.3.24 or 9.4.11 (or newer) depending on your configuration.
You can find more information about CVE-2017-7657 at the following references: [link1](https://bugs.eclipse.org/bugs/show_bug.cgi?id=535668), [link2](https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1595622), [link3](https://access.redhat.com/errata/RHSA-2019:0910)
The Common Weakness Enumerations (CWE) associated with CVE-2017-7657 are CWE-190, CWE-444, and CWE-79.