Overview
About vulnerability
In Eclipse Jetty, the HTTP/1.1 parser is vulnerable to request smuggling when chunk extensions are used, similar to the “funky chunks” techniques outlined here:
Jetty terminates chunk extension parsing at \r\n inside quoted strings instead of treating this as an error.
POST / HTTP/1.1 Host: localhost Transfer-Encoding: chunked
1;ext=“val X 0
GET /smuggled HTTP/1.1 …
Note how the chunk extension does not close the double quotes, and it is able to inject a smuggled request.
Details
- Affected product:
- Apache Hadoop , Apache Hive , Apache Kafka , Apache Lucene , Apache Spark , Apache Tapestry , Eclipse Jetty , Spring , activemq , agepredictor , avro , cxf , druid , htmlunit , jersey , jgit , karaf , lucene , solr , tika
- Affected packages:
- jetty.project (+5935 more)
In Eclipse Jetty, the HTTP/1.1 parser is vulnerable to request smuggling when chunk extensions are used, similar to the “funky chunks” techniques outlined here:
Jetty terminates chunk extension parsing at \r\n inside quoted strings instead of treating this as an error.
POST / HTTP/1.1 Host: localhost Transfer-Encoding: chunked
1;ext=“val X 0
GET /smuggled HTTP/1.1 …
Note how the chunk extension does not close the double quotes, and it is able to inject a smuggled request.