CVE-2017-7656

Name of the Vulnerable Software and Affected Versions Eclipse Jetty versions 9.2.x and older Eclipse Jetty versions 9.3.x Eclipse Jetty versions 9.4.x (non-default configuration with RFC2616 compliance enabled)

Description The issue arises from poor handling of HTTP/0.9 requests in Eclipse Jetty. An attacker could exploit this by sending specially crafted HTTP/0.9 requests, potentially leading to cache poisoning if the server allows the origin client to generate arbitrary content in the response. This could impact the confidentiality and integrity of protected information.

Recommendations For Eclipse Jetty versions 9.2.x and older, consider disabling HTTP/0.9 support until a patch is available. For Eclipse Jetty versions 9.3.x, restrict access to the server to minimize the risk of exploitation. For Eclipse Jetty versions 9.4.x with non-default configuration and RFC2616 compliance enabled, avoid using the non-default configuration until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.