CVE-2017-7656

Published: 26 June 2018

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), HTTP/0.9 is handled poorly. An HTTP/1 style request line (i.e. method space URI space version) that declares a version of HTTP/0.9 was accepted and treated as a 0.9 request. If deployed behind an intermediary that also accepted and passed through the 0.9 version (but did not act on it), then the response sent could be interpreted by the intermediary as HTTP/1 headers. This could be used to poison the cache if the server allowed the origin client to generate arbitrary content in the response.

Priority

Medium

CVSS 3 base score: 7.5

Status

Package Release Status
jetty8
Launchpad, Ubuntu, Debian
Upstream
Released (9.2.25-1)
Ubuntu 21.04 (Hirsute Hippo) Does not exist

Ubuntu 20.04 LTS (Focal Fossa) Does not exist

Ubuntu 18.04 LTS (Bionic Beaver) Does not exist

Ubuntu 16.04 ESM (Xenial Xerus) Ignored

Ubuntu 14.04 ESM (Trusty Tahr) Ignored

jetty9
Launchpad, Ubuntu, Debian
Upstream
Released (9.2.25-1)
Ubuntu 21.04 (Hirsute Hippo) Not vulnerable
(9.2.26-1)
Ubuntu 20.04 LTS (Focal Fossa) Not vulnerable
(9.2.26-1)
Ubuntu 18.04 LTS (Bionic Beaver) Needed

Ubuntu 16.04 ESM (Xenial Xerus) Ignored
(end of standard support, was needed)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist