CVE-2017-7658

Published: 26 June 2018

In Eclipse Jetty Server, versions 9.2.x and older, 9.3.x (all non HTTP/1.x configurations), and 9.4.x (all HTTP/1.x configurations), when presented with two content-lengths headers, Jetty ignored the second. When presented with a content-length and a chunked encoding header, the content-length was ignored (as per RFC 2616). If an intermediary decided on the shorter length, but still passed on the longer body, then body content could be interpreted by Jetty as a pipelined request. If the intermediary was imposing authorization, the fake pipelined request would bypass that authorization.

Priority

Low

CVSS 3 base score: 9.8

Status

Package Release Status
jetty8
Launchpad, Ubuntu, Debian
Upstream Needed

Ubuntu 21.10 (Impish Indri) Does not exist

Ubuntu 21.04 (Hirsute Hippo) Does not exist

Ubuntu 20.04 LTS (Focal Fossa) Does not exist

Ubuntu 18.04 LTS (Bionic Beaver) Does not exist

Ubuntu 16.04 ESM (Xenial Xerus) Ignored

Ubuntu 14.04 ESM (Trusty Tahr) Ignored

jetty9
Launchpad, Ubuntu, Debian
Upstream
Released (9.2.25-1, 9.2.21-1+deb9u1)
Ubuntu 21.10 (Impish Indri) Not vulnerable
(9.2.26-1)
Ubuntu 21.04 (Hirsute Hippo) Not vulnerable
(9.2.26-1)
Ubuntu 20.04 LTS (Focal Fossa) Not vulnerable
(9.2.26-1)
Ubuntu 18.04 LTS (Bionic Beaver) Needed

Ubuntu 16.04 ESM (Xenial Xerus) Ignored
(end of standard support, was needed)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist