9.8

CVE-2017-7658

In Eclipse Jetty Server, versions 9.2.x and older, 9.3.x (all non HTTP/1.x configurations), and 9.4.x (all HTTP/1.x configurations), when presented with two content-lengths headers, Jetty ignored the second. When presented with a content-length and a chunked encoding header, the content-length was ignored (as per RFC 2616). If an intermediary decided on the shorter length, but still passed on the longer body, then body content could be interpreted by Jetty as a pipelined request. If the intermediary was imposing authorization, the fake pipelined request would bypass that authorization.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
EclipseJetty Version <= 9.2.26
EclipseJetty Version >= 9.3.0 < 9.3.24
EclipseJetty Version >= 9.4.0 < 9.4.11
DebianDebian Linux Version9.0
OracleRest Data Services Version11.2.0.4 SwEdition-
OracleRest Data Services Version12.1.0.2 SwEdition-
OracleRest Data Services Version12.2.0.1 SwEdition-
OracleRest Data Services Version18c SwEdition-
OracleRetail Xstore Payment Version3.3
HpXp P9000 Command View SwEditionadvanced Version >= 8.4.0-00 <= 8.6.2-00
   HpXp P9000 Version-
NetappE-series Santricity Os Controller Version >= 11.0 <= 11.50.1
NetappHci Storage Node Version-
NetappOncommand System Manager Version >= 3.0 <= 3.1.3
NetappSnapcenter Version-
NetappSnapmanager Version- SwPlatformoracle
NetappSnapmanager Version- SwPlatformsap
NetappSolidfire Version-
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 20.99% 0.972
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 9.8 3.9 5.9
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov 7.5 10 6.4
AV:N/AC:L/Au:N/C:P/I:P/A:P
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')

The product acts as an intermediary HTTP agent (such as a proxy or firewall) in the data flow between two entities such as a client and server, but it does not interpret malformed HTTP requests or responses in ways that are consistent with how the messages will be processed by those entities that are at the ultimate destination.

https://lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451%40%3Csolr-user.lucene.apache.org%3E
https://www.oracle.com//security-alerts/cpujul2021.html
https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe%40%3Ccommits.druid.apache.org%3E
https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html
Patch
Third Party Advisory
https://www.oracle.com/security-alerts/cpuoct2020.html
Third Party Advisory
https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
Patch
Third Party Advisory
https://lists.apache.org/thread.html/053d9ce4d579b02203db18545fee5e33f35f2932885459b74d1e4272%40%3Cissues.activemq.apache.org%3E
https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0%40%3Cissues.bookkeeper.apache.org%3E
http://www.securitytracker.com/id/1041194
Third Party Advisory
VDB Entry
https://security.netapp.com/advisory/ntap-20181014-0001/
Third Party Advisory
https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbst03953en_us
Third Party Advisory
https://www.debian.org/security/2018/dsa-4278
Third Party Advisory
https://lists.apache.org/thread.html/r41af10c4adec8d34a969abeb07fd0d6ad0c86768b751464f1cdd23e8%40%3Ccommits.druid.apache.org%3E
https://lists.apache.org/thread.html/r9159c9e7ec9eac1613da2dbaddbc15691a13d4dbb2c8be974f42e6ae%40%3Ccommits.druid.apache.org%3E
https://lists.apache.org/thread.html/ra6f956ed4ec2855583b2d0c8b4802b450f593d37b77509b48cd5d574%40%3Ccommits.druid.apache.org%3E
http://www.securityfocus.com/bid/106566
Third Party Advisory
VDB Entry
https://bugs.eclipse.org/bugs/show_bug.cgi?id=535669
Third Party Advisory