First published: Thu Jun 07 2018(Updated: )
Eclipse Jetty is vulnerable to HTTP request smuggling, caused by a flaw when handling more than one Content-Length headers. By sending a specially-crafted request, an attacker could exploit this vulnerability to poison the web cache, bypass web application firewall protection, and conduct XSS attacks.
Credit: emo@eclipse.org
Affected Software | Affected Version | How to fix |
---|---|---|
debian/jetty9 | 9.4.16-0+deb10u1 9.4.16-0+deb10u3 9.4.39-3+deb11u2 9.4.50-4+deb12u1 9.4.53-1 | |
redhat/jetty | <9.2.25. | 9.2.25. |
redhat/jetty | <9.3.24. | 9.3.24. |
redhat/jetty | <9.4.11. | 9.4.11. |
Eclipse Jetty | <=9.2.26 | |
Eclipse Jetty | >=9.3.0<9.3.24 | |
Eclipse Jetty | >=9.4.0<9.4.11 | |
Debian Debian Linux | =9.0 | |
Oracle REST Data Services | =11.2.0.4 | |
Oracle REST Data Services | =12.1.0.2 | |
Oracle REST Data Services | =12.2.0.1 | |
Oracle REST Data Services | =18c | |
Oracle Retail Xstore Payment | =3.3 | |
Oracle Retail Xstore Point of Service | =7.1 | |
Oracle Retail Xstore Point of Service | =15.0 | |
Oracle Retail Xstore Point of Service | =16.0 | |
Oracle Retail Xstore Point of Service | =17.0 | |
Hp Xp P9000 Command View | >=8.4.0-00<=8.6.2-00 | |
Hp Xp P9000 | ||
Netapp E-series Santricity Management | ||
NetApp E-Series SANtricity OS Controller | >=11.0<=11.50.1 | |
Netapp E-series Santricity Web Services | ||
Netapp Hci Management Node | ||
Netapp Hci Storage Node | ||
NetApp OnCommand System Manager | >=3.0<=3.1.3 | |
Netapp Oncommand Unified Manager For 7-mode | ||
Netapp Santricity Cloud Connector | ||
NetApp Snap Creator Framework | ||
Netapp Snapcenter | ||
Netapp Snapmanager Oracle | ||
Netapp Snapmanager Sap | ||
Netapp Solidfire | ||
Netapp Storage Services Connector | ||
IBM GDE | <=3.0.0.2 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The vulnerability ID is CVE-2017-7658.
The severity of CVE-2017-7658 is critical with a CVSS score of 9.8.
Eclipse Jetty Server versions 9.2.x and older, 9.3.x (all non HTTP/1.x configurations), and 9.4.x (all HTTP/1.x configurations) are affected.
To mitigate CVE-2017-7658, update Jetty Server to version 9.2.25 or newer.
You can find more information about CVE-2017-7658 in the references provided: [link1], [link2], [link3].