CVE-2017-7658: XSS
First published: Thu Jun 07 2018(Updated: )
Eclipse Jetty is vulnerable to HTTP request smuggling, caused by a flaw when handling more than one Content-Length headers. By sending a specially-crafted request, an attacker could exploit this vulnerability to poison the web cache, bypass web application firewall protection, and conduct XSS attacks.
Credit: emo@eclipse.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| debian/jetty9 | 9.4.16-0+deb10u1 9.4.16-0+deb10u3 9.4.39-3+deb11u2 9.4.50-4+deb12u1 9.4.53-1 | |
| redhat/jetty | <9.2.25. | 9.2.25. |
| redhat/jetty | <9.3.24. | 9.3.24. |
| redhat/jetty | <9.4.11. | 9.4.11. |
| Eclipse Jetty | <=9.2.26 | |
| Eclipse Jetty | >=9.3.0<9.3.24 | |
| Eclipse Jetty | >=9.4.0<9.4.11 | |
| Debian Debian Linux | =9.0 | |
| Oracle REST Data Services | =11.2.0.4 | |
| Oracle REST Data Services | =12.1.0.2 | |
| Oracle REST Data Services | =12.2.0.1 | |
| Oracle REST Data Services | =18c | |
| Oracle Retail Xstore Payment | =3.3 | |
| Oracle Retail Xstore Point of Service | =7.1 | |
| Oracle Retail Xstore Point of Service | =15.0 | |
| Oracle Retail Xstore Point of Service | =16.0 | |
| Oracle Retail Xstore Point of Service | =17.0 | |
| Hp Xp P9000 Command View | >=8.4.0-00<=8.6.2-00 | |
| Hp Xp P9000 | ||
| Netapp E-series Santricity Management | ||
| NetApp E-Series SANtricity OS Controller | >=11.0<=11.50.1 | |
| Netapp E-series Santricity Web Services | ||
| Netapp Hci Management Node | ||
| Netapp Hci Storage Node | ||
| NetApp OnCommand System Manager | >=3.0<=3.1.3 | |
| Netapp Oncommand Unified Manager For 7-mode | ||
| Netapp Santricity Cloud Connector | ||
| NetApp Snap Creator Framework | ||
| Netapp Snapcenter | ||
| Netapp Snapmanager Oracle | ||
| Netapp Snapmanager Sap | ||
| Netapp Solidfire | ||
| Netapp Storage Services Connector | ||
| IBM GDE | <=3.0.0.2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.cve.org/CVERecord?id=CVE-2017-7658 https://nvd.nist.gov/vuln/detail/CVE-2017-7658
- https://bugzilla.redhat.com/show_bug.cgi?id=1595621
- https://access.redhat.com/errata/RHSA-2020:3779
- https://access.redhat.com/security/cve/cve-2017-7658
- https://bugs.eclipse.org/bugs/show_bug.cgi?id=535669
- https://github.com/eclipse/jetty.project/commit/a285deea
- https://security-tracker.debian.org/tracker/CVE-2017-7658
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1595622
- https://access.redhat.com/security/updates/classification/
- http://www.securityfocus.com/bid/106566
- http://www.securitytracker.com/id/1041194
- https://lists.apache.org/thread.html/053d9ce4d579b02203db18545fee5e33f35f2932885459b74d1e4272@%3Cissues.activemq.apache.org%3E
- https://lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451@%3Csolr-user.lucene.apache.org%3E
- https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe@%3Ccommits.druid.apache.org%3E
- https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0@%3Cissues.bookkeeper.apache.org%3E
- https://lists.apache.org/thread.html/r41af10c4adec8d34a969abeb07fd0d6ad0c86768b751464f1cdd23e8@%3Ccommits.druid.apache.org%3E
- https://lists.apache.org/thread.html/r9159c9e7ec9eac1613da2dbaddbc15691a13d4dbb2c8be974f42e6ae@%3Ccommits.druid.apache.org%3E
- https://lists.apache.org/thread.html/ra6f956ed4ec2855583b2d0c8b4802b450f593d37b77509b48cd5d574@%3Ccommits.druid.apache.org%3E
- https://security.netapp.com/advisory/ntap-20181014-0001/
- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbst03953en_us
- https://www.debian.org/security/2018/dsa-4278
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html
- https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
- https://exchange.xforce.ibmcloud.com/vulnerabilities/145522
- https://www.ibm.com/support/pages/node/6320835 (Advisory)
- https://lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451%40%3Csolr-user.lucene.apache.org%3E
- https://lists.apache.org/thread.html/053d9ce4d579b02203db18545fee5e33f35f2932885459b74d1e4272%40%3Cissues.activemq.apache.org%3E
- https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe%40%3Ccommits.druid.apache.org%3E
- https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0%40%3Cissues.bookkeeper.apache.org%3E
- https://lists.apache.org/thread.html/ra6f956ed4ec2855583b2d0c8b4802b450f593d37b77509b48cd5d574%40%3Ccommits.druid.apache.org%3E
- https://lists.apache.org/thread.html/r41af10c4adec8d34a969abeb07fd0d6ad0c86768b751464f1cdd23e8%40%3Ccommits.druid.apache.org%3E
- https://lists.apache.org/thread.html/r9159c9e7ec9eac1613da2dbaddbc15691a13d4dbb2c8be974f42e6ae%40%3Ccommits.druid.apache.org%3E
Frequently Asked Questions
What is the vulnerability ID for this vulnerability?
The vulnerability ID is CVE-2017-7658.
What is the severity of CVE-2017-7658?
The severity of CVE-2017-7658 is critical with a CVSS score of 9.8.
Which software versions are affected by CVE-2017-7658?
Eclipse Jetty Server versions 9.2.x and older, 9.3.x (all non HTTP/1.x configurations), and 9.4.x (all HTTP/1.x configurations) are affected.
How can I mitigate the vulnerability CVE-2017-7658?
To mitigate CVE-2017-7658, update Jetty Server to version 9.2.25 or newer.
Where can I find more information about CVE-2017-7658?
You can find more information about CVE-2017-7658 in the references provided: [link1], [link2], [link3].
- collector/redhat-cve
- collector/security-tracker-debian
- agent/type
- agent/remedy
- agent/first-publish-date
- agent/last-modified-date
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2017-7658
- agent/software-canonical-lookup
- agent/weakness
- agent/author
- agent/severity
- agent/description
- collector/nvd-index
- agent/software-canonical-lookup-request
- agent/event
- collector/ibm-support
- source/IBM
- agent/references
- agent/softwarecombine
- agent/tags
- collector/mitre-cve
- source/MITRE
- package-manager/debian
- package-manager/redhat
- vendor/eclipse
- canonical/eclipse jetty
- version/eclipse jetty/9.2.26
- version/eclipse jetty/9.3.0
- version/eclipse jetty/9.4.0
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/9.0
- vendor/oracle
- canonical/oracle rest data services
- version/oracle rest data services/11.2.0.4
- version/oracle rest data services/12.1.0.2
- version/oracle rest data services/12.2.0.1
- version/oracle rest data services/18c
- canonical/oracle retail xstore payment
- version/oracle retail xstore payment/3.3
- canonical/oracle retail xstore point of service
- version/oracle retail xstore point of service/7.1
- version/oracle retail xstore point of service/15.0
- version/oracle retail xstore point of service/16.0
- version/oracle retail xstore point of service/17.0
- vendor/hp
- canonical/hp xp p9000 command view
- version/hp xp p9000 command view/8.4.0-00
- version/hp xp p9000 command view/8.6.2-00
- canonical/hp xp p9000
- vendor/netapp
- canonical/netapp e-series santricity management
- canonical/netapp e-series santricity os controller
- version/netapp e-series santricity os controller/11.0
- version/netapp e-series santricity os controller/11.50.1
- canonical/netapp e-series santricity web services
- canonical/netapp hci management node
- canonical/netapp hci storage node
- canonical/netapp oncommand system manager
- version/netapp oncommand system manager/3.0
- version/netapp oncommand system manager/3.1.3
- canonical/netapp oncommand unified manager for 7-mode
- canonical/netapp santricity cloud connector
- canonical/netapp snap creator framework
- canonical/netapp snapcenter
- canonical/netapp snapmanager oracle
- canonical/netapp snapmanager sap
- canonical/netapp solidfire
- canonical/netapp storage services connector
- vendor/ibm
- canonical/ibm gde
- version/ibm gde/3.0.0.2