In Eclipse Jetty Server, versions 9.2.x and older, 9.3.x (all non HTTP/1.x configurations), and 9.4.x (all HTTP/1.x configurations), when presented with two content-lengths headers, Jetty ignored the second. When presented with a content-length and a chunked encoding header, the content-length was ignored (as per RFC 2616). If an intermediary decided on the shorter length, but still passed on the longer body, then body content could be interpreted by Jetty as a pipelined request. If the intermediary was imposing authorization, the fake pipelined request would bypass that authorization.
The MITRE CVE dictionary describes this issue as:
Find out more about CVE-2017-7658 from the MITRE CVE dictionary dictionary and NIST NVD.
NOTE: The following CVSS v3 metrics and score provided are preliminary and subject to review.
| CVSS3 Base Score | 5.3 |
|---|---|
| CVSS3 Base Metrics | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N |
| Attack Vector | Network |
| Attack Complexity | Low |
| Privileges Required | None |
| User Interaction | None |
| Scope | Unchanged |
| Confidentiality | None |
| Integrity Impact | Low |
| Availability Impact | None |
| Platform | Package | State |
|---|---|---|
| Red Hat Software Collections for Red Hat Enterprise Linux | rh-java-common-jetty | Affected |
| Red Hat Satellite 5 | nutch | Will not fix |
| Red Hat JBoss Fuse Service Works 6 | jetty | Will not fix |
| Red Hat JBoss Fuse 7 | jetty | Affected |
| Red Hat JBoss Fuse 6 | jetty | Will not fix |
| Red Hat Enterprise Linux 7 | jetty | Affected |
| Red Hat Enterprise Linux 6 | jetty-eclipse | Will not fix |
Vulmon