CVE-2023-40167

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2023-40167
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-40167.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2023-40167
Aliases
Downstream
Related
Published
2023-09-15T19:37:37.530Z
Modified
2026-04-10T05:00:41.495212Z
Severity
  • 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N CVSS Calculator
Summary
Jetty accepts "+" prefixed value in Content-Length
Details

Jetty is a Java based web server and servlet engine. Prior to versions 9.4.52, 10.0.16, 11.0.16, and 12.0.1, Jetty accepts the + character proceeding the content-length value in a HTTP/1 header field. This is more permissive than allowed by the RFC and other servers routinely reject such requests with 400 responses. There is no known exploit scenario, but it is conceivable that request smuggling could result if jetty is used in combination with a server that does not close the connection after sending such a 400 response. Versions 9.4.52, 10.0.16, 11.0.16, and 12.0.1 contain a patch for this issue. There is no workaround as there is no known exploit scenario.

Database specific 
{
    "cwe_ids": [
        "CWE-130"
    ],
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/40xxx/CVE-2023-40167.json"
}
References

Affected packages

Git / github.com/eclipse/jetty.project

Affected ranges

Type
GIT
Repo
https://github.com/eclipse/jetty.project
Events
Introduced
1237b739c787a75a5f9e1f495b3f2c8284761499
Last affected
b45c405e4544384de066f814ed42ae3dceacdd49
Database specific 
{
    "versions": [
        {
            "introduced": "9.0.0"
        },
        {
            "last_affected": "9.4.51"
        }
    ]
}
Type
GIT
Repo
https://github.com/eclipse/jetty.project
Events
Introduced
b9645a17373e4e9b7f30b6c0a07defcea2cb660b
Last affected
68017dbd00236bb7e187330d7585a059610f661d
Database specific 
{
    "versions": [
        {
            "introduced": "10.0.0"
        },
        {
            "last_affected": "10.0.15"
        }
    ]
}
Type
GIT
Repo
https://github.com/eclipse/jetty.project
Events
Introduced
432f896d7a4555fcc81f38108757ea0aca8788e6
Last affected
5bc5e562c8d05c5862505aebe5cf83a61bdbcb96
Database specific 
{
    "versions": [
        {
            "introduced": "11.0.0"
        },
        {
            "last_affected": "11.0.15"
        }
    ]
}
Type
GIT
Repo
https://github.com/eclipse/jetty.project
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
28100e8da711e44c0722ed10bd413ae862497539
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "= 12.0.0"
        }
    ]
}

Affected versions

jetty-11.*
jetty-11.0.0-alpha0
jetty-11.0.0.beta1
jetty-11.0.0.beta2
jetty-11.0.2
jetty-11.0.8
jetty-11.0.9
jetty-12.*
jetty-12.0.0.beta2x
jetty-12.0.0.beta3x
jetty-12.0.0x
jetty-8.*
jetty-8.0.0.RC0
jetty-8.1.0.RC0
jetty-9.*
jetty-9.1.0.M0
jetty-9.1.0.RC0
jetty-9.1.0.RC1
jetty-9.1.0.RC2
jetty-9.1.0.v20131115
jetty-9.1.1.v20140108
jetty-9.1.2.v20140210
jetty-9.1.3.v20140225
jetty-9.1.4.v20140401
jetty-9.2.0.M0
jetty-9.2.0.M1
jetty-9.2.0.RC0
jetty-9.2.0.v20140523
jetty-9.2.0.v20140526
jetty-9.2.1.v20140609

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-40167.json"