Integer Overflow Vulnerability in Eclipse Jetty Web Server
CVE-2017-7657

9.8CRITICAL

Key Information:

Vendor: The Eclipse Foundation
Status: Eclipse Jetty
Vendor: CVE Published:; 26 June 2018

What is CVE-2017-7657?

In Eclipse Jetty versions 9.2.x and older, all configurations of 9.3.x, and 9.4.x when RFC2616 compliance is enabled, an integer overflow occurs due to improper handling of transfer-encoding chunk lengths. This vulnerability allows attackers to send a large chunk size that could be interpreted as a smaller size, potentially crafting a fake pipelined request. If Jetty is deployed behind an intermediary with authorization, this flaw could be exploited to bypass such authorization, leading to unauthorized request processing.

Affected Version(s)

Eclipse Jetty <= 9.2.0

Eclipse Jetty 9.3.0

Eclipse Jetty < 9.3.24

References

https://www.debian.org/security/2018/dsa-4278

vendor-advisoryx_refsource_DEBIAN

http://www.securitytracker.com/id/1041194

vdb-entryx_refsource_SECTRACK

https://lists.apache.org/thread.html/708d94141126eac03011...

mailing-listx_refsource_MLIST

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jun 26, 2018
Vulnerability Reserved
Apr 11, 2017

The Eclipse Foundation

What is CVE-2017-7657?

Affected Version(s)

References

CVSS V3.1

Timeline