CVE-2023-40167

Jetty is a Java based web server and servlet engine. Prior to versions 9.4.52, 10.0.16, 11.0.16, and 12.0.1, Jetty accepts the `+` character proceeding the content-length value in a HTTP/1 header field. This is more permissive than allowed by the RFC and other servers routinely reject such requests with 400 responses. There is no known exploit scenario, but it is conceivable that request smuggling could result if jetty is used in combination with a server that does not close the connection after sending such a 400 response. Versions 9.4.52, 10.0.16, 11.0.16, and 12.0.1 contain a patch for this issue. There is no workaround as there is no known exploit scenario.
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:eclipse:jetty:*:*:*:*:*:*:*:*
cpe:2.3:a:eclipse:jetty:*:*:*:*:*:*:*:*
cpe:2.3:a:eclipse:jetty:*:*:*:*:*:*:*:*
cpe:2.3:a:eclipse:jetty:12.0.0:-:*:*:*:*:*:*
cpe:2.3:a:eclipse:jetty:12.0.0:beta0:*:*:*:*:*:*
cpe:2.3:a:eclipse:jetty:12.0.0:beta1:*:*:*:*:*:*
cpe:2.3:a:eclipse:jetty:12.0.0:beta2:*:*:*:*:*:*
cpe:2.3:a:eclipse:jetty:12.0.0:beta3:*:*:*:*:*:*
cpe:2.3:a:eclipse:jetty:12.0.0:beta4:*:*:*:*:*:*

Configuration 2 (hide)

OR cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:12.0:*:*:*:*:*:*:*

History

13 Oct 2023, 01:59

Type Values Removed Values Added
References (MISC) https://www.debian.org/security/2023/dsa-5507 - (MISC) https://www.debian.org/security/2023/dsa-5507 - Third Party Advisory
References (MISC) https://lists.debian.org/debian-lts-announce/2023/09/msg00039.html - (MISC) https://lists.debian.org/debian-lts-announce/2023/09/msg00039.html - Mailing List, Third Party Advisory
CPE cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:12.0:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
First Time Debian debian Linux
Debian

30 Sep 2023, 15:15

Type Values Removed Values Added
References
  • (MISC) https://lists.debian.org/debian-lts-announce/2023/09/msg00039.html -

29 Sep 2023, 12:15

Type Values Removed Values Added
CWE NVD-CWE-noinfo CWE-130
References
  • (MISC) https://www.debian.org/security/2023/dsa-5507 -

20 Sep 2023, 20:20

Type Values Removed Values Added
CWE CWE-130 NVD-CWE-noinfo
CPE cpe:2.3:a:eclipse:jetty:12.0.0:beta1:*:*:*:*:*:*
cpe:2.3:a:eclipse:jetty:12.0.0:beta2:*:*:*:*:*:*
cpe:2.3:a:eclipse:jetty:12.0.0:beta4:*:*:*:*:*:*
cpe:2.3:a:eclipse:jetty:12.0.0:beta0:*:*:*:*:*:*
cpe:2.3:a:eclipse:jetty:12.0.0:-:*:*:*:*:*:*
cpe:2.3:a:eclipse:jetty:*:*:*:*:*:*:*:*
cpe:2.3:a:eclipse:jetty:12.0.0:beta3:*:*:*:*:*:*
First Time Eclipse
Eclipse jetty
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 5.3
References (MISC) https://www.rfc-editor.org/rfc/rfc9110#section-8.6 - (MISC) https://www.rfc-editor.org/rfc/rfc9110#section-8.6 - Technical Description
References (MISC) https://github.com/eclipse/jetty.project/security/advisories/GHSA-hmr7-m48g-48f6 - (MISC) https://github.com/eclipse/jetty.project/security/advisories/GHSA-hmr7-m48g-48f6 - Vendor Advisory

17 Sep 2023, 12:01

Type Values Removed Values Added
New CVE

Information

Published : 2023-09-15 20:15

Updated : 2024-02-28 20:33


NVD link : CVE-2023-40167

Mitre link : CVE-2023-40167

CVE.ORG link : CVE-2023-40167


JSON object : View

Products Affected

debian

  • debian_linux

eclipse

  • jetty
CWE
CWE-130

Improper Handling of Length Parameter Inconsistency

NVD-CWE-noinfo