Jetty is a Java based web server and servlet engine. Prior to versions 9.4.52, 10.0.16, 11.0.16, and 12.0.1, Jetty accepts the `+` character proceeding the content-length value in a HTTP/1 header field. This is more permissive than allowed by the RFC and other servers routinely reject such requests with 400 responses. There is no known exploit scenario, but it is conceivable that request smuggling could result if jetty is used in combination with a server that does not close the connection after sending such a 400 response. Versions 9.4.52, 10.0.16, 11.0.16, and 12.0.1 contain a patch for this issue. There is no workaround as there is no known exploit scenario.
History

Wed, 25 Sep 2024 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2023-09-15T19:37:37.530Z

Updated: 2024-09-25T18:50:08.203Z

Reserved: 2023-08-09T15:26:41.051Z

Link: CVE-2023-40167

cve-icon Vulnrichment

Updated: 2024-08-02T18:24:55.674Z

cve-icon NVD

Status : Modified

Published: 2023-09-15T20:15:09.827

Modified: 2024-11-21T08:18:54.840

Link: CVE-2023-40167

cve-icon Redhat

Severity : Moderate

Publid Date: 2023-09-19T00:00:00Z

Links: CVE-2023-40167 - Bugzilla