In Eclipse Jetty Server, versions 9.2.x and older, 9.3.x (all non HTTP/1.x configurations), and 9.4.x (all HTTP/1.x configurations), when presented with two content-lengths headers, Jetty ignored the second. When presented with a content-length and a chunked encoding header, the content-length was ignored (as per RFC 2616). If an intermediary decided on the shorter length, but still passed on the longer body, then body content could be interpreted by Jetty as a pipelined request. If the intermediary was imposing authorization, the fake pipelined request would bypass that authorization.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
eclipse jetty |
||
debian debian linux 9.0 |
||
oracle retail xstore point of service 15.0 |
||
oracle retail xstore point of service 7.1 |
||
oracle retail xstore point of service 16.0 |
||
oracle retail xstore payment 3.3 |
||
oracle retail xstore point of service 17.0 |
||
oracle rest data services 12.2.0.1 |
||
oracle rest data services 12.1.0.2 |
||
oracle rest data services 11.2.0.4 |
||
oracle rest data services 18c |
||
hp xp p9000 command view |
||
netapp snap creator framework - |
||
netapp santricity cloud connector - |
||
netapp snapcenter - |
||
netapp snapmanager - |
||
netapp e-series santricity web services - |
||
netapp e-series santricity management - |
||
netapp e-series santricity os controller |
||
netapp oncommand system manager |
||
netapp solidfire - |
||
netapp hci management node - |
||
netapp oncommand unified manager for 7-mode - |
||
netapp storage services connector - |
||
netapp hci storage node - |
Out of 284 flaws, 33 are rated critical. Big Red admins have big patches ahead Thought Patch Tuesday was a load? You gotta check out this Oracle mega-advisory, then
Oracle admins, here's your first critical patch advisory for 2019, and it's a doozy: a total of 284 vulnerabilities patched across Big Red's product range, and 33 of them are rated “critical”. We hope your support contracts are up-to-date to receive these fixes. The full list is here, and with so much to choose from, The Register will work through the top-rated bugs. Oracle Communications Applications (OCA) is home to nine of the vulnerabilities in various components: Oracle E-Business' Perf...