CVE-2023-40167

2023-09-1520:15:09

Google

osv.dev

jetty

java based

web server

vulnerability

http/1

response

patch

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

7 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

25.8%

JSON

Jetty is a Java based web server and servlet engine. Prior to versions 9.4.52, 10.0.16, 11.0.16, and 12.0.1, Jetty accepts the + character proceeding the content-length value in a HTTP/1 header field. This is more permissive than allowed by the RFC and other servers routinely reject such requests with 400 responses. There is no known exploit scenario, but it is conceivable that request smuggling could result if jetty is used in combination with a server that does not close the connection after sending such a 400 response. Versions 9.4.52, 10.0.16, 11.0.16, and 12.0.1 contain a patch for this issue. There is no workaround as there is no known exploit scenario.

CPENameOperatorVersion
jetty.projecteqjetty-9.3.10.v20160621
jetty.projecteqjetty-9.1.2.v20140210
jetty.projecteqjetty-7.6.6.v20120903
jetty.projecteqjetty-9.1.0.v20131115
jetty.projecteqjetty-9.2.28.v20190418
jetty.projecteqjetty-9.2.12.M0
jetty.projecteqjetty-10.0.5
jetty.projecteqjetty-9.3.25.v20180904
jetty.projecteqjetty-9.4.40.v20210413
jetty.projecteqjetty-9.2.18.v20160721

Name	Operator	Version
jetty.project	eq	jetty-9.3.10.v20160621
jetty.project	eq	jetty-9.1.2.v20140210
jetty.project	eq	jetty-7.6.6.v20120903
jetty.project	eq	jetty-9.1.0.v20131115
jetty.project	eq	jetty-9.2.28.v20190418
jetty.project	eq	jetty-9.2.12.M0
jetty.project	eq	jetty-10.0.5
jetty.project	eq	jetty-9.3.25.v20180904
jetty.project	eq	jetty-9.4.40.v20210413
jetty.project	eq	jetty-9.2.18.v20160721