CVE-2017-7658 SUSE CVE security@suse.de SUSE Security Team SUSE CVE-2017-7658 Interim 1 9 2023-04-20T00:36:09Z current 2021-10-30T00:33:44Z 2023-04-20T00:36:09Z cve-database/bin/generate-cvrf-cve.pl 2020-12-27T01:00:00Z CVE-2017-7658 In Eclipse Jetty Server, versions 9.2.x and older, 9.3.x (all non HTTP/1.x configurations), and 9.4.x (all HTTP/1.x configurations), when presented with two content-lengths headers, Jetty ignored the second. When presented with a content-length and a chunked encoding header, the content-length was ignored (as per RFC 2616). If an intermediary decided on the shorter length, but still passed on the longer body, then body content could be interpreted by Jetty as a pipelined request. If the intermediary was imposing authorization, the fake pipelined request would bypass that authorization. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). https://www.suse.com/support/security/rating/ SUSE Security Ratings SUSE Linux Enterprise Module for Development Tools 15 SP2 SUSE Linux Enterprise Module for Development Tools 15 SP2 SUSE Linux Enterprise Module for Development Tools 15 SP2 SUSE Linux Enterprise Module for Development Tools 15 SP2 SUSE Linux Enterprise Module for Development Tools 15 SP2 SUSE Linux Enterprise Module for Development Tools 15 SP2 SUSE Linux Enterprise Module for Development Tools 15 SP2 SUSE Linux Enterprise Module for Development Tools 15 SP2 jetty-http jetty-io jetty-minimal jetty-security jetty-server jetty-servlet jetty-util jetty-util-ajax jetty-http as a component of SUSE Linux Enterprise Module for Development Tools 15 SP2 jetty-io as a component of SUSE Linux Enterprise Module for Development Tools 15 SP2 jetty-security as a component of SUSE Linux Enterprise Module for Development Tools 15 SP2 jetty-server as a component of SUSE Linux Enterprise Module for Development Tools 15 SP2 jetty-servlet as a component of SUSE Linux Enterprise Module for Development Tools 15 SP2 jetty-util as a component of SUSE Linux Enterprise Module for Development Tools 15 SP2 jetty-util-ajax as a component of SUSE Linux Enterprise Module for Development Tools 15 SP2 jetty-minimal as a component of SUSE Linux Enterprise Module for Development Tools 15 SP2 In Eclipse Jetty Server, versions 9.2.x and older, 9.3.x (all non HTTP/1.x configurations), and 9.4.x (all HTTP/1.x configurations), when presented with two content-lengths headers, Jetty ignored the second. When presented with a content-length and a chunked encoding header, the content-length was ignored (as per RFC 2616). If an intermediary decided on the shorter length, but still passed on the longer body, then body content could be interpreted by Jetty as a pipelined request. If the intermediary was imposing authorization, the fake pipelined request would bypass that authorization. CVE-2017-7658 SUSE Linux Enterprise Module for Development Tools 15 SP2:jetty-http SUSE Linux Enterprise Module for Development Tools 15 SP2:jetty-io SUSE Linux Enterprise Module for Development Tools 15 SP2:jetty-minimal SUSE Linux Enterprise Module for Development Tools 15 SP2:jetty-security SUSE Linux Enterprise Module for Development Tools 15 SP2:jetty-server SUSE Linux Enterprise Module for Development Tools 15 SP2:jetty-servlet SUSE Linux Enterprise Module for Development Tools 15 SP2:jetty-util SUSE Linux Enterprise Module for Development Tools 15 SP2:jetty-util-ajax critical 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H