{"id":"CVE-2017-7658","details":"In Eclipse Jetty Server, versions 9.2.x and older, 9.3.x (all non HTTP/1.x configurations), and 9.4.x (all HTTP/1.x configurations), when presented with two content-lengths headers, Jetty ignored the second. When presented with a content-length and a chunked encoding header, the content-length was ignored (as per RFC 2616). If an intermediary decided on the shorter length, but still passed on the longer body, then body content could be interpreted by Jetty as a pipelined request. If the intermediary was imposing authorization, the fake pipelined request would bypass that authorization.","aliases":["GHSA-6x9x-8qw9-9pp6"],"modified":"2026-07-08T05:51:42.478419960Z","published":"2018-06-26T17:29:00.210Z","database_specific":{"unresolved_ranges":[{"extracted_events":[{"introduced":"8.4.0-00"},{"last_affected":"8.6.2-00"}],"cpes":["cpe:2.3:a:hp:xp_p9000_command_view:*:*:*:*:advanced:*:*:*"],"source":"CPE_RANGE","vendor_product":"hp:xp_p9000_command_view"},{"cpes":["cpe:2.3:a:netapp:e-series_santricity_os_controller:*:*:*:*:*:*:*:*"],"vendor_product":"netapp:e-series_santricity_os_controller","source":"CPE_RANGE","extracted_events":[{"introduced":"11.0"},{"last_affected":"11.50.1"}]},{"cpes":["cpe:2.3:a:netapp:oncommand_system_manager:*:*:*:*:*:*:*:*"],"extracted_events":[{"introduced":"3.0"},{"last_affected":"3.1.3"}],"source":"CPE_RANGE","vendor_product":"netapp:oncommand_system_manager"},{"extracted_events":[{"introduced":"9.0"},{"last_affected":"9.0"}],"cpes":["cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*"],"source":"CPE_STRING","vendor_product":"debian:debian_linux"},{"vendor_product":"oracle:rest_data_services","extracted_events":[{"introduced":"11.2.0.4"},{"last_affected":"11.2.0.4"},{"introduced":"12.1.0.2"},{"last_affected":"12.1.0.2"},{"introduced":"12.2.0.1"},{"last_affected":"12.2.0.1"},{"introduced":"18c"},{"last_affected":"18c"}],"source":"CPE_STRING","cpes":["cpe:2.3:a:oracle:rest_data_services:11.2.0.4:*:*:*:-:*:*:*","cpe:2.3:a:oracle:rest_data_services:12.1.0.2:*:*:*:-:*:*:*","cpe:2.3:a:oracle:rest_data_services:12.2.0.1:*:*:*:-:*:*:*","cpe:2.3:a:oracle:rest_data_services:18c:*:*:*:-:*:*:*"]},{"extracted_events":[{"introduced":"3.3"},{"last_affected":"3.3"}],"cpes":["cpe:2.3:a:oracle:retail_xstore_payment:3.3:*:*:*:*:*:*:*"],"source":"CPE_STRING","vendor_product":"oracle:retail_xstore_payment"},{"cpes":["cpe:2.3:a:oracle:retail_xstore_point_of_service:15.0:*:*:*:*:*:*:*","cpe:2.3:a:oracle:retail_xstore_point_of_service:16.0:*:*:*:*:*:*:*","cpe:2.3:a:oracle:retail_xstore_point_of_service:17.0:*:*:*:*:*:*:*","cpe:2.3:a:oracle:retail_xstore_point_of_service:7.1:*:*:*:*:*:*:*"],"vendor_product":"oracle:retail_xstore_point_of_service","source":"CPE_STRING","extracted_events":[{"introduced":"7.1"},{"last_affected":"7.1"},{"introduced":"15.0"},{"last_affected":"15.0"},{"introduced":"16.0"},{"last_affected":"16.0"},{"introduced":"17.0"},{"last_affected":"17.0"}]}]},"references":[{"type":"WEB","url":"https://lists.apache.org/thread.html/053d9ce4d579b02203db18545fee5e33f35f2932885459b74d1e4272%40%3Cissues.activemq.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451%40%3Csolr-user.lucene.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe%40%3Ccommits.druid.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0%40%3Cissues.bookkeeper.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r41af10c4adec8d34a969abeb07fd0d6ad0c86768b751464f1cdd23e8%40%3Ccommits.druid.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r9159c9e7ec9eac1613da2dbaddbc15691a13d4dbb2c8be974f42e6ae%40%3Ccommits.druid.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/ra6f956ed4ec2855583b2d0c8b4802b450f593d37b77509b48cd5d574%40%3Ccommits.druid.apache.org%3E"},{"type":"WEB","url":"https://www.oracle.com//security-alerts/cpujul2021.html"},{"type":"ADVISORY","url":"http://www.securityfocus.com/bid/106566"},{"type":"ADVISORY","url":"http://www.securitytracker.com/id/1041194"},{"type":"ADVISORY","url":"https://bugs.eclipse.org/bugs/show_bug.cgi?id=535669"},{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20181014-0001/"},{"type":"ADVISORY","url":"https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbst03953en_us"},{"type":"ADVISORY","url":"https://www.debian.org/security/2018/dsa-4278"},{"type":"ADVISORY","url":"https://www.oracle.com/security-alerts/cpuoct2020.html"},{"type":"FIX","url":"https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html"},{"type":"FIX","url":"https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/jetty/jetty.project","events":[{"introduced":"0"},{"last_affected":"8c637489ae2bdc2d281b8db171e7427a47fdcc2b"},{"introduced":"390f3200cce7f90f1f3ebc78013c1afea2f93db8"},{"fixed":"84205aa28f11a4f31f2a3b86d1bba2cc8ab69827"},{"introduced":"bf9d17540c7ae4c91be30c045a9485aa2030d3e5"},{"fixed":"d5fc0523cfa96bfebfbda19606cad384d772f04c"}],"database_specific":{"source":"CPE_RANGE","extracted_events":[{"introduced":"0"},{"last_affected":"9.2.26"},{"introduced":"9.3.0"},{"fixed":"9.3.24"},{"introduced":"9.4.0"},{"fixed":"9.4.11"}],"cpe":"cpe:2.3:a:eclipse:jetty:*:*:*:*:*:*:*:*"}}],"versions":["jetty-9.2.26.v20180806","jetty-9.4.6.v20170531","jetty-9.4.2.v20170220","jetty-9.4.10.v20180503","jetty-9.3.23.v20180228","jetty-9.2.23.v20171218","jetty-9.2.22.v20170606","jetty-9.3.19.v20170502","jetty-9.3.18.v20170406","jetty-9.3.17.v20170317","jetty-9.2.21.v20170120","jetty-9.2.20.v20161216","jetty-9.3.13.M0","jetty-9.2.19.v20160908","jetty-9.2.18.v20160721","jetty-9.2.15.v20160210","jetty-9.3.7.v20160115","jetty-9.3.7.RC1","jetty-9.3.4.v20151007","jetty-9.2.13.v20150730","jetty-9.2.12.v20150709","jetty-9.2.12.M0","jetty-9.2.11.v20150529","jetty-9.2.11.v20150528","jetty-9.2.11.M0","jetty-9.2.10.v20150310","jetty-9.2.9.v20150224","jetty-9.2.8.v20150217","jetty-9.2.7.v20150116","jetty-9.2.6.v20141205","jetty-9.2.6.v20141203","jetty-9.2.5.v20141112","jetty-9.2.4.v20141103","jetty-9.2.3.v20140905","jetty-9.2.2.v20140723","jetty-9.2.1.v20140609","jetty-9.2.0.v20140526","jetty-9.2.0.v20140523","jetty-9.2.0.RC0","jetty-9.2.0.M1","jetty-9.1.4.v20140401","jetty-9.2.0.M0","jetty-9.1.3.v20140225","jetty-9.1.2.v20140210","jetty-9.1.1.v20140108","jetty-9.1.0.v20131115","jetty-9.1.0.RC2","jetty-9.1.0.RC1","jetty-9.1.0.RC0","jetty-9.1.0.M0","jetty-8.1.0.RC0","jetty-8.0.0.RC0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2017-7658.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}