Published: 26/06/2018 Updated: 07/11/2023

CVSS v2 Base Score: 5 | Impact Score: 2.9 | Exploitability Score: 10

CVSS v3 Base Score: 7.5 | Impact Score: 3.6 | Exploitability Score: 3.9

VMScore: 446

Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), HTTP/0.9 is handled poorly. An HTTP/1 style request line (i.e. method space URI space version) that declares a version of HTTP/0.9 was accepted and treated as a 0.9 request. If deployed behind an intermediary that also accepted and passed through the 0.9 version (but did not act on it), then the response sent could be interpreted by the intermediary as HTTP/1 headers. This could be used to poison the cache if the server allowed the origin client to generate arbitrary content in the response.

Vulnerable Product	Search on Vulmon	Subscribe to Product
eclipse jetty
debian debian linux 9.0

Debian Bug report logs - #902774 jetty9: CVE-2018-12536 Package: jetty9; Maintainer for jetty9 is Debian Java Maintainers <pkg-java-maintainers@listsaliothdebianorg>; Source for jetty9 is src:jetty9 (PTS, buildd, popcon) Reported by: Markus Koschany <apo@debianorg> Date: Sat, 30 Jun 2018 18:45:04 UTC Severity: g ...

Debian Bug report logs - #902953 jetty9: CVE-2017-7656 CVE-2017-7657 CVE-2017-7658 Package: jetty9; Maintainer for jetty9 is Debian Java Maintainers <pkg-java-maintainers@listsaliothdebianorg>; Source for jetty9 is src:jetty9 (PTS, buildd, popcon) Reported by: Markus Koschany <apo@debianorg> Date: Sat, 30 Jun 201 ...

Multiple vulnerabilities were discovered in Jetty, a Java servlet engine and webserver which could result in HTTP request smuggling For the stable distribution (stretch), these problems have been fixed in version 9221-1+deb9u1 We recommend that you upgrade your jetty9 packages For the detailed security status of jetty9 please refer to its secu ...

In Eclipse Jetty, versions 92x and older, 93x (all configurations), and 94x (non-default configuration with RFC2616 compliance enabled), HTTP/09 is handled poorly An HTTP/1 style request line (ie method space URI space version) that declares a version of HTTP/09 was accepted and treated as a 09 request If deployed behind an intermediar ...

NVD-CWE-noinfo https://bugs.eclipse.org/bugs/show_bug.cgi?id=535667 http://www.securitytracker.com/id/1041194 https://www.debian.org/security/2018/dsa-4278 https://security.netapp.com/advisory/ntap-20181014-0001/https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbst03953en_us https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html https://www.oracle.com/security-alerts/cpuoct2020.html https://www.oracle.com//security-alerts/cpujul2021.html https://lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451%40%3Csolr-user.lucene.apache.org%3E https://lists.apache.org/thread.html/053d9ce4d579b02203db18545fee5e33f35f2932885459b74d1e4272%40%3Cissues.activemq.apache.org%3E https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe%40%3Ccommits.druid.apache.org%3E https://lists.apache.org/thread.html/rbf4565a0b63f9c8b07fab29352a97bbffe76ecafed8b8555c15b83c6%40%3Cissues.maven.apache.org%3E https://nvd.nist.gov https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=902774 https://www.debian.org/security/./dsa-4278 https://access.redhat.com/security/cve/cve-2017-7656

CVE-2017-7656

Vulnerability Summary

Vulnerability Trend

Vendor Advisories

References

Vulmon Search

About

Products

Connect