Security issue #18
Comments
I've tested just quickly the 9.4.46.v20220331 version and I'm also going to try the 9.4.29.v20200521 which is the first that fixes the security hole. I don't think just updating jetty-server will fix it. Tried the pull, but got version missmatch so. I updated all jetty-server, jetty-servlet, jetty-util and websocket-server to the same newer version. I have only tested if they started up without throwing any exeptions, do you know what kind of socket problem it could be so I can test them. |
|
If the Webinterface works, then there should be no problems. So, yeah at best just test that. |
From the security scan
Eclipse Jetty: Transfer-Encoding Request Smuggling Vulnerability
In Eclipse Jetty, transfer-encoding chunks are handled poorly. The chunk length parsing was
vulnerable to an integer overflow. Thus a large chunk size could be interpreted as a smaller chunk
size and content sent as chunk body could be interpreted as a pipelined request. If Jetty was
deployed behind an intermediary that imposed some authorization and that intermediary allowed
arbitrarily large chunks to be passed on unchanged, then this flaw could be used to bypass the
authorization imposed by the intermediary as the fake pipelined request would not be interpreted by
the intermediary as a request.
Solution
Upgrade to version 9.4.29.v20200521 or later of Eclipse Jetty.
Information
This vulnerability was identified because (1) the detected version of Eclipse Jetty, 9.4.z-SNAPSHOT,
is less than 9.4.11.v20180605
Paths:
/
Reference
Vendor - https://www.eclipse.org/jetty/
Solution - https://bugs.eclipse.org/bugs/show_bug.cgi?id=535668
IP-Address: xxx.xxx.xxx.xx
Port/Protocol: 9696/TCP
Service: http
CVSS: High (7.5)
CVE: CVE-2017-7657
The text was updated successfully, but these errors were encountered: