CVE-2017-7658

Name of the Vulnerable Software and Affected Versions Eclipse Jetty Server versions 9.2.x and older Eclipse Jetty Server versions 9.3.x (all non HTTP/1.x configurations) Eclipse Jetty Server versions 9.4.x (all HTTP/1.x configurations)

Description The issue is related to the implementation of the Hypertext Transfer Protocol (HTTP/1.1) in the Eclipse Jetty Server, specifically with the handling of Transfer-Encoding and Content-Length headers. When presented with two content-lengths headers, Jetty ignores the second. When presented with a content-length and a chunked encoding header, the content-length is ignored as per RFC 2616. This can lead to a situation where an intermediary decides on a shorter length but still passes on the longer body, causing the body content to be interpreted by Jetty as a pipelined request. If the intermediary is imposing authorization, the fake pipelined request can bypass that authorization, allowing for potential attacks such as HTTP Request Smuggling.

Recommendations For Eclipse Jetty Server versions 9.2.x and older, consider upgrading to a version that properly handles content-length headers to prevent HTTP Request Smuggling attacks. For Eclipse Jetty Server versions 9.3.x (all non HTTP/1.x configurations), ensure that the server is configured to correctly handle Transfer-Encoding and Content-Length headers to mitigate the vulnerability. For Eclipse Jetty Server versions 9.4.x (all HTTP/1.x configurations), review the server's configuration to ensure that it properly handles chunked encoding and content-length headers to prevent authorization bypass attacks. As a temporary workaround, consider restricting access to sensitive areas of the server to minimize the risk of exploitation until a proper fix is applied.