How severe is CVE-2017-7658?

This vulnerability has a severity rating of CRITICAL with a CVSS score of 9.8 out of 10.

What type of vulnerability is CVE-2017-7658?

This is classified as CWE-444, which is a common weakness in software security.

CVE-2017-7658 - CRITICAL Severity | CVSS 9.8

Vulnerability Description

In Eclipse Jetty Server, versions 9.2.x and older, 9.3.x (all non HTTP/1.x configurations), and 9.4.x (all HTTP/1.x configurations), when presented with two content-lengths headers, Jetty ignored the second. When presented with a content-length and a chunked encoding header, the content-length was ignored (as per RFC 2616). If an intermediary decided on the shorter length, but still passed on the longer body, then body content could be interpreted by Jetty as a pipelined request. If the intermediary was imposing authorization, the fake pipelined request would bypass that authorization.

Related Vulnerabilities

CVE-2015-5739

CRITICAL

CVSS:9.8(Critical)

The net/http library in net/textproto/reader.go in Go before 1.4.3 does not properly parse HTTP header keys, which allows remote attackers to conduct HTTP request smuggling attacks via a space instead...

CWE-4442015

CVE-2015-5740

CRITICAL

CVSS:9.8(Critical)

The net/http library in net/http/transfer.go in Go before 1.4.3 does not properly parse HTTP headers, which allows remote attackers to conduct HTTP request smuggling attacks via a request with two Con...

CWE-4442015

CVE-2015-5741

CRITICAL

CVSS:9.8(Critical)

CWE-4442015

CVE-2016-10711

CRITICAL

CVSS:9.8(Critical)

Apsis Pound before 2.8a allows request smuggling via crafted headers, a different vulnerability than CVE-2005-3751.

CWE-4442016

CVE-2017-7657

CRITICAL

CVSS:9.8(Critical)

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), transfer-encoding chunks are handled poorly. The chunk le...

CWE-4442017

CVE-2019-15605

CRITICAL

CVSS:9.8(Critical)

HTTP request smuggling in Node.js 10, 12, and 13 causes malicious payload delivery when transfer-encoding is malformed

CWE-4442019