Jetty is a Java based web server and servlet engine. Prior to versions 9.4.52, 10.0.16, 11.0.16, and 12.0.1, Jetty accepts the `+` character proceeding the content-length value in a HTTP/1 header field. This is more permissive than allowed by the RFC and other servers routinely reject such requests with 400 responses. There is no known exploit scenario, but it is conceivable that request smuggling could result if jetty is used in combination with a server that does not close the connection after sending such a 400 response. Versions 9.4.52, 10.0.16, 11.0.16, and 12.0.1 contain a patch for this issue. There is no workaround as there is no known exploit scenario.
Metrics
Affected Vendors & Products
References
History
Wed, 25 Sep 2024 19:30:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Metrics |
ssvc
|
MITRE
Status: PUBLISHED
Assigner: GitHub_M
Published: 2023-09-15T19:37:37.530Z
Updated: 2024-09-25T18:50:08.203Z
Reserved: 2023-08-09T15:26:41.051Z
Link: CVE-2023-40167
Vulnrichment
Updated: 2024-08-02T18:24:55.674Z
NVD
Status : Modified
Published: 2023-09-15T20:15:09.827
Modified: 2024-11-21T08:18:54.840
Link: CVE-2023-40167
Redhat