Vulnerability in Eclipse Jetty Server Allows Authorization Bypass
CVE-2017-7658

9.8CRITICAL

Key Information:

Vendor: The Eclipse Foundation
Status: Eclipse Jetty
Vendor: CVE Published:; 26 June 2018

What is CVE-2017-7658?

A vulnerability in the Eclipse Jetty Server allows the server to ignore the second content-length header when processing requests. When there is a conflict between a content-length header and chunked encoding, Jetty compromises by disregarding the content-length. This could lead to a scenario where intermediary systems, which may impose authorization, inadvertently allow unauthorized requests to bypass checks by treating extended requests as valid pipelined requests. The affected versions include Jetty Server 9.2.x and older, all non HTTP/1.x configurations of 9.3.x, and all HTTP/1.x configurations of 9.4.x, presenting a significant risk for users relying on Jetty for their web applications.

Affected Version(s)

Eclipse Jetty < 9.2.25

Eclipse Jetty 9.3.0

Eclipse Jetty < 9.3.24

References

https://www.debian.org/security/2018/dsa-4278

vendor-advisoryx_refsource_DEBIAN

http://www.securitytracker.com/id/1041194

vdb-entryx_refsource_SECTRACK

http://www.securityfocus.com/bid/106566

vdb-entryx_refsource_BID

EPSS Score

10% chance of being exploited in the next 30 days.

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jun 26, 2018
Vulnerability Reserved
Apr 11, 2017

The Eclipse Foundation

What is CVE-2017-7658?

Affected Version(s)

References

EPSS Score

CVSS V3.1

Timeline