Jetty vulnerable to authorization bypass due to inconsistent HTTP request handling (HTTP Request Smuggling)

GHSA-6x9x-8qw9-9pp6 · CVE-2017-7658

Published Oct 19, 2018 · Modified Feb 16, 2024

Description

Eclipse Jetty Server versions 9.2.x and older, 9.3.x (all non HTTP/1.x configurations), and 9.4.x (all HTTP/1.x configurations), are vulnerable to HTTP Request Smuggling when presented with two content-lengths headers, allowing authorization bypass. When presented with a content-length and a chunked encoding header, the content-length was ignored (as per RFC 2616). If an intermediary decides on the shorter length, but still passes on the longer body, then body content could be interpreted by Jetty as a pipelined request. If the intermediary is imposing authorization, the fake pipelined request bypasses that authorization.

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2017-7658
WEB https://bugs.eclipse.org/bugs/show_bug.cgi?id=535669
ADVISORY https://github.com/advisories/GHSA-6x9x-8qw9-9pp6
WEB https://lists.apache.org/thread.html/053d9ce4d579b02203db18545fee5e33f35f2932885459b74d1e4272@%3Cissues.activemq.apache.org%3E
WEB https://lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451@%3Csolr-user.lucene.apache.org%3E
WEB https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe@%3Ccommits.druid.apache.org%3E
WEB https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0@%3Cissues.bookkeeper.apache.org%3E
WEB https://lists.apache.org/thread.html/r41af10c4adec8d34a969abeb07fd0d6ad0c86768b751464f1cdd23e8@%3Ccommits.druid.apache.org%3E
WEB https://lists.apache.org/thread.html/r9159c9e7ec9eac1613da2dbaddbc15691a13d4dbb2c8be974f42e6ae@%3Ccommits.druid.apache.org%3E
WEB https://lists.apache.org/thread.html/ra6f956ed4ec2855583b2d0c8b4802b450f593d37b77509b48cd5d574@%3Ccommits.druid.apache.org%3E
WEB https://security.netapp.com/advisory/ntap-20181014-0001
WEB https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbst03953en_us
WEB https://www.debian.org/security/2018/dsa-4278
WEB https://www.oracle.com/security-alerts/cpuoct2020.html
WEB https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html
WEB https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
WEB http://www.securityfocus.com/bid/106566
WEB http://www.securitytracker.com/id/1041194

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes