/
DirectorySecurity Advisories
Sign In
Security Advisories

CGA-9q89-f4mr-53vg

Published

Last updated

https://images.chainguard.dev/security/CGA-9q89-f4mr-53vg
Package

hadoop-fips-3.3.6

Repository

Chainguard

Latest Update
Fix not planned
Aliases
  • CVE-2017-7658
  • GHSA-6x9x-8qw9-9pp6

Severity

Unknown

Summary

Jetty vulnerable to authorization bypass due to inconsistent HTTP request handling (HTTP Request Smuggling)

Description

Eclipse Jetty Server versions 9.2.x and older, 9.3.x (all non HTTP/1.x configurations), and 9.4.x (all HTTP/1.x configurations), are vulnerable to HTTP Request Smuggling when presented with two content-lengths headers, allowing authorization bypass. When presented with a content-length and a chunked encoding header, the content-length was ignored (as per RFC 2616). If an intermediary decides on the shorter length, but still passes on the longer body, then body content could be interpreted by Jetty as a pipelined request. If the intermediary is imposing authorization, the fake pipelined request bypasses that authorization.

References

Updates

Safe Source for Open Sourceâ„¢
Media KitContact Us
© 2025 Chainguard. All Rights Reserved.
Private PolicyTerms of Use

Products

Chainguard ContainersChainguard LibrariesChainguard VMs

Why Chainguard

Container Image SecurityVulnerability RemediationCompliance and Risk MitigationSoftware Supply Chain SecurityAI/ML Security

Customers

Customer StoriesChainguard Love

Company

About UsPricingContact UsOpen SourceCareersNewsroomLegal

Resources

Unchained BlogEventsTrust CenterDocumentation