CVE-2017-7658 — Vulnetix

Try Vulnetix Request Demo

CVE-2017-7658 PUBLISHED

In Eclipse Jetty Server, versions 9.2.x and older, 9.3.x (all non HTTP/1.x configurations), and 9.4.x (all HTTP/1.x configurations), when presented with two content-lengths headers, Jetty ignored the second. When presented with a content-length and a chunked encoding header, the content-length was ignored (as per RFC 2616). If an intermediary decided on the shorter length, but still passed on the longer body, then body content could be interpreted by Jetty as a pipelined request. If the intermediary was imposing authorization, the fake pipelined request would bypass that authorization.

EPSS 8.04% · 92.1th percentile

Risk Scores

EPSS Score

8.04%

92.1th percentile

Affected Products

Vendor	Product	Versions
Ubuntu:14.04:LTS	jetty8	8.1.3-8, 8.1.3-9, 0
Ubuntu:16.04:LTS	jetty8	8.1.17-2, 8.1.18-1, 8.1.18-3
Ubuntu:16.04:LTS	jetty9	0, 9.2.14-1
Ubuntu:18.04:LTS	jetty9	0, 9.2.22-2, 9.2.22-3

Timeline

CVE Published
Nov 12, 2019 PoC Published
Apr 14, 2021 EPSS Score
Feb 4, 2022 EPSS Score
Mar 7, 2023 EPSS Score
Mar 17, 2025 EPSS Score
Mar 18, 2025 EPSS Score
Mar 24, 2025 EPSS Score
Mar 30, 2025 EPSS Score
Apr 13, 2025 EPSS Score
Apr 30, 2025 EPSS Score
May 1, 2025 EPSS Score

References

https://ubuntu.com/security/CVE-2017-7658 third-party-advisory
https://bugs.eclipse.org/bugs/show_bug.cgi?id=535669 third-party-advisory
https://www.cve.org/CVERecord?id=CVE-2017-7658 third-party-advisory

Open in Interactive Console →