Integer Overflow Vulnerability in Eclipse Jetty Web Server
CVE-2017-7657

9.8CRITICAL

Key Information:

Vendor

The Eclipse Foundation

Status
Eclipse Jetty
Vendor
CVE Published:
26 June 2018

What is CVE-2017-7657?

In Eclipse Jetty versions 9.2.x and older, all configurations of 9.3.x, and 9.4.x when RFC2616 compliance is enabled, an integer overflow occurs due to improper handling of transfer-encoding chunk lengths. This vulnerability allows attackers to send a large chunk size that could be interpreted as a smaller size, potentially crafting a fake pipelined request. If Jetty is deployed behind an intermediary with authorization, this flaw could be exploited to bypass such authorization, leading to unauthorized request processing.

Affected Version(s)

Eclipse Jetty <= 9.2.0

Eclipse Jetty 9.3.0

Eclipse Jetty < 9.3.24

References

https://www.debian.org/security/2018/dsa-4278
vendor-advisoryx_refsource_DEBIAN
http://www.securitytracker.com/id/1041194
vdb-entryx_refsource_SECTRACK
https://lists.apache.org/thread.html/708d94141126eac03011...
mailing-listx_refsource_MLIST

CVSS V3.1

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.