CVE-2017-7656 in Eclipse and Debian Products

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), HTTP/0.9 is handled poorly. An HTTP/1 style request line (i.e. method space URI space version) that declares a version of HTTP/0.9 was accepted and treated as a 0.9 request. If deployed behind an intermediary that also accepted and passed through the 0.9 version (but did not act on it), then the response sent could be interpreted by the intermediary as HTTP/1 headers. This could be used to poison the cache if the server allowed the origin client to generate arbitrary content in the response.

Weakness Type

What is a HTTP Request Smuggling Vulnerability?

When malformed or abnormal HTTP requests are interpreted by one or more entities in the data flow between the user and the web server, such as a proxy or firewall, they can be interpreted inconsistently, allowing the attacker to "smuggle" a request to one device without the other device being aware of it.

CVE-2017-7656 has been classified to as a HTTP Request Smuggling vulnerability or weakness.

Products Associated with CVE-2017-7656

stack.watch emails you whenever new vulnerabilities are published in Eclipse Jetty or Debian Linux. Just hit a watch button to start following.

Affected Versions

Exploit Probability

EPSS

7.77%

Percentile

91.80%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.

CVE-2017-7656 in Eclipse and Debian ProductsPublished on June 26, 2018

Weakness Type

What is a HTTP Request Smuggling Vulnerability?

Products Associated with CVE-2017-7656

Affected Versions

Exploit Probability

CVE-2017-7656 in Eclipse and Debian Products
Published on June 26, 2018