Candidate: CVE-2017-7656 PublicDate: 2018-06-26 15:29:00 UTC References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7656 https://bugs.eclipse.org/bugs/show_bug.cgi?id=535667 Description: In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), HTTP/0.9 is handled poorly. An HTTP/1 style request line (i.e. method space URI space version) that declares a version of HTTP/0.9 was accepted and treated as a 0.9 request. If deployed behind an intermediary that also accepted and passed through the 0.9 version (but did not act on it), then the response sent could be interpreted by the intermediary as HTTP/1 headers. This could be used to poison the cache if the server allowed the origin client to generate arbitrary content in the response. Ubuntu-Description: Notes: ebarretto> jetty8 ignored (very hard to exploit, complex patch) Bugs: Priority: medium Discovered-by: Assigned-to: CVSS: nvd: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N [7.5 HIGH] Patches_jetty8: upstream_jetty8: released (9.2.25-1) precise/esm_jetty8: DNE trusty_jetty8: ignored (out of standard support) trusty/esm_jetty8: ignored xenial_jetty8: ignored artful_jetty8: DNE bionic_jetty8: DNE cosmic_jetty8: DNE disco_jetty8: DNE eoan_jetty8: DNE focal_jetty8: DNE groovy_jetty8: DNE hirsute_jetty8: DNE impish_jetty8: DNE jammy_jetty8: DNE devel_jetty8: DNE Patches_jetty9: upstream_jetty9: released (9.2.25-1) precise/esm_jetty9: DNE trusty_jetty9: DNE trusty/esm_jetty9: DNE xenial_jetty9: ignored (end of standard support, was needed) artful_jetty9: ignored (reached end-of-life) bionic_jetty9: needed cosmic_jetty9: not-affected (9.2.26-1) disco_jetty9: not-affected (9.2.26-1) eoan_jetty9: not-affected (9.2.26-1) focal_jetty9: not-affected (9.2.26-1) groovy_jetty9: not-affected (9.2.26-1) hirsute_jetty9: not-affected (9.2.26-1) impish_jetty9: not-affected (9.2.26-1) jammy_jetty9: not-affected (9.2.26-1) devel_jetty9: not-affected (9.2.26-1)