CVE-2023-40167

CWE-13011 documents7 sources
Severity
5.3MEDIUM
EPSS
4.8%
top 10.48%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Eclipse JettyEclipse Jetty.projectDebian Debian Linux
Timeline
PublishedSep 15
Latest updateApr 15

Description

Jetty is a Java based web server and servlet engine. Prior to versions 9.4.52, 10.0.16, 11.0.16, and 12.0.1, Jetty accepts the `+` character proceeding the content-length value in a HTTP/1 header field. This is more permissive than allowed by the RFC and other servers routinely reject such requests with 400 responses. There is no known exploit scenario, but it is conceivable that request smuggling could result if jetty is used in combination with a server that does not close the connection after

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages4 packages

Mavenorg.eclipse.jetty:jetty-http9.0.09.4.52+3
NVDeclipse/jetty9.0.09.4.52+3
Debianjetty9< 9.4.39-3+deb11u2+3
CVEListV5eclipse/jetty.project4 versions+3

Also affects: Debian Linux 10.0, 11.0, 12.0

🔴Vulnerability Details

4
OSV
CVE-2023-40167: Jetty is a Java based web server and servlet engine2023-09-15
CVEList
Jetty accepts "+" prefixed value in Content-Length2023-09-15
GHSA
Jetty accepts "+" prefixed value in Content-Length2023-09-14
OSV
Jetty accepts "+" prefixed value in Content-Length2023-09-14

📋Vendor Advisories

6
Oracle
Oracle Oracle Retail Applications Risk Matrix: Point of Sale (Eclipse Jetty) — CVE-2023-401672025-04-15
Oracle
Oracle Oracle Enterprise Manager Risk Matrix: Agent Next Gen (Eclipse Jetty) — CVE-2023-401672024-07-15
Oracle
Oracle Oracle Communications Risk Matrix: Configuration (Eclipse Jetty) — CVE-2023-401672024-01-15
Oracle
Oracle Oracle Communications Risk Matrix: General (Eclipse Jetty) — CVE-2023-401672023-10-15
Red Hat
jetty: Improper validation of HTTP/1 content-length2023-09-19