In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), transfer-encoding chunks are handled poorly. The chunk length parsing was vulnerable to an integer overflow. Thus a large chunk size could be interpreted as a smaller chunk size and content sent as chunk body could be interpreted as a pipelined request. If Jetty was deployed behind an intermediary that imposed some authorization and that intermediary allowed arbitrarily large chunks to be passed on unchanged, then this flaw could be used to bypass the authorization imposed by the intermediary as the fake pipelined request would not be interpreted by the intermediary as a request.
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2017-7656
### Vulnerable Library - jetty-http-8.1.15.v20140411.jar
In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), HTTP/0.9 is handled poorly. An HTTP/1 style request line (i.e. method space URI space version) that declares a version of HTTP/0.9 was accepted and treated as a 0.9 request. If deployed behind an intermediary that also accepted and passed through the 0.9 version (but did not act on it), then the response sent could be interpreted by the intermediary as HTTP/1 headers. This could be used to poison the cache if the server allowed the origin client to generate arbitrary content in the response.
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2021-28169
### Vulnerable Library - jetty-http-8.1.15.v20140411.jar
For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, it is possible for requests to the ConcatServlet with a doubly encoded path to access protected resources within the WEB-INF directory. For example a request to `/concat?/%2557EB-INF/web.xml` can retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web application.
Administrative parent pom for Jetty modules
Library home page: http://www.mortbay.com
Path to vulnerable library: /lib/jetty-http-8.1.15.v20140411.jar
Found in HEAD commit: bafe36287e51aaacdb1ab47c78bd429757cdc4f2
Vulnerabilities
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2017-7657
### Vulnerable Library - jetty-http-8.1.15.v20140411.jarAdministrative parent pom for Jetty modules
Library home page: http://www.mortbay.com
Path to vulnerable library: /lib/jetty-http-8.1.15.v20140411.jar
Dependency Hierarchy: - :x: **jetty-http-8.1.15.v20140411.jar** (Vulnerable Library)
Found in HEAD commit: bafe36287e51aaacdb1ab47c78bd429757cdc4f2
Found in base branch: main
### Vulnerability DetailsIn Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), transfer-encoding chunks are handled poorly. The chunk length parsing was vulnerable to an integer overflow. Thus a large chunk size could be interpreted as a smaller chunk size and content sent as chunk body could be interpreted as a pipelined request. If Jetty was deployed behind an intermediary that imposed some authorization and that intermediary allowed arbitrarily large chunks to be passed on unchanged, then this flaw could be used to bypass the authorization imposed by the intermediary as the fake pipelined request would not be interpreted by the intermediary as a request.
Publish Date: 2018-06-26
URL: CVE-2017-7657
### CVSS 3 Score Details (9.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://bugs.eclipse.org/bugs/show_bug.cgi?id=535668
Release Date: 2018-06-26
Fix Resolution: 8.1.16.v20140903
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2017-7656
### Vulnerable Library - jetty-http-8.1.15.v20140411.jarAdministrative parent pom for Jetty modules
Library home page: http://www.mortbay.com
Path to vulnerable library: /lib/jetty-http-8.1.15.v20140411.jar
Dependency Hierarchy: - :x: **jetty-http-8.1.15.v20140411.jar** (Vulnerable Library)
Found in HEAD commit: bafe36287e51aaacdb1ab47c78bd429757cdc4f2
Found in base branch: main
### Vulnerability DetailsIn Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), HTTP/0.9 is handled poorly. An HTTP/1 style request line (i.e. method space URI space version) that declares a version of HTTP/0.9 was accepted and treated as a 0.9 request. If deployed behind an intermediary that also accepted and passed through the 0.9 version (but did not act on it), then the response sent could be interpreted by the intermediary as HTTP/1 headers. This could be used to poison the cache if the server allowed the origin client to generate arbitrary content in the response.
Publish Date: 2018-06-26
URL: CVE-2017-7656
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: High - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://bugs.eclipse.org/bugs/show_bug.cgi?id=535667
Release Date: 2018-06-26
Fix Resolution: org.eclipse.jetty:jetty-server:9.2.25.v20180606,9.3.24.v20180605,9.4.11.v20180605;org.eclipse.jetty:jetty-http:9.2.25.v20180606.,9.3.24.v20180605,9.4.11.v20180605
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2021-28169
### Vulnerable Library - jetty-http-8.1.15.v20140411.jarAdministrative parent pom for Jetty modules
Library home page: http://www.mortbay.com
Path to vulnerable library: /lib/jetty-http-8.1.15.v20140411.jar
Dependency Hierarchy: - :x: **jetty-http-8.1.15.v20140411.jar** (Vulnerable Library)
Found in HEAD commit: bafe36287e51aaacdb1ab47c78bd429757cdc4f2
Found in base branch: main
### Vulnerability DetailsFor Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, it is possible for requests to the ConcatServlet with a doubly encoded path to access protected resources within the WEB-INF directory. For example a request to `/concat?/%2557EB-INF/web.xml` can retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web application.
Publish Date: 2021-06-09
URL: CVE-2021-28169
### CVSS 3 Score Details (5.3)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: None - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/eclipse/jetty.project/security/advisories/GHSA-gwcr-j4wh-j3cq
Release Date: 2021-06-09
Fix Resolution: 9.4.41.v20210516
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)