Lucene search

K
ubuntucveUbuntu.comUB:CVE-2017-7657
HistoryJun 26, 2018 - 12:00 a.m.

CVE-2017-7657

2018-06-2600:00:00
ubuntu.com
ubuntu.com
12

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.01 Low

EPSS

Percentile

83.5%

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and
9.4.x (non-default configuration with RFC2616 compliance enabled),
transfer-encoding chunks are handled poorly. The chunk length parsing was
vulnerable to an integer overflow. Thus a large chunk size could be
interpreted as a smaller chunk size and content sent as chunk body could be
interpreted as a pipelined request. If Jetty was deployed behind an
intermediary that imposed some authorization and that intermediary allowed
arbitrarily large chunks to be passed on unchanged, then this flaw could be
used to bypass the authorization imposed by the intermediary as the fake
pipelined request would not be interpreted by the intermediary as a
request.

Notes

Author Note
ebarretto jetty8 ignored (very hard to exploit, complex patch)
OSVersionArchitecturePackageVersionFilename
ubuntu16.04noarchjetty9< anyUNKNOWN
ubuntu18.04noarchjetty9< anyUNKNOWN

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.01 Low

EPSS

Percentile

83.5%