Vulnerability in Eclipse Jetty Server Allows Authorization Bypass
CVE-2017-7658

9.8CRITICAL

Key Information:

Vendor

The Eclipse Foundation

Status
Eclipse Jetty
Vendor
CVE Published:
26 June 2018

What is CVE-2017-7658?

A vulnerability in the Eclipse Jetty Server allows the server to ignore the second content-length header when processing requests. When there is a conflict between a content-length header and chunked encoding, Jetty compromises by disregarding the content-length. This could lead to a scenario where intermediary systems, which may impose authorization, inadvertently allow unauthorized requests to bypass checks by treating extended requests as valid pipelined requests. The affected versions include Jetty Server 9.2.x and older, all non HTTP/1.x configurations of 9.3.x, and all HTTP/1.x configurations of 9.4.x, presenting a significant risk for users relying on Jetty for their web applications.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

Eclipse Jetty < 9.2.25

Eclipse Jetty 9.3.0

Eclipse Jetty < 9.3.24

References

https://www.debian.org/security/2018/dsa-4278
vendor-advisoryx_refsource_DEBIAN
http://www.securitytracker.com/id/1041194
vdb-entryx_refsource_SECTRACK
http://www.securityfocus.com/bid/106566
vdb-entryx_refsource_BID

EPSS Score

8% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.