CVE-2023-40167

See a problem?

Source

https://nvd.nist.gov/vuln/detail/CVE-2023-40167

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-40167.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2023-40167

Aliases

GHSA-hmr7-m48g-48f6

Related

Published

2023-09-15T20:15:09Z

Modified

2024-09-11T06:12:54.467127Z

Severity

5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N CVSS Calculator

Summary

[none]

Details

Jetty is a Java based web server and servlet engine. Prior to versions 9.4.52, 10.0.16, 11.0.16, and 12.0.1, Jetty accepts the + character proceeding the content-length value in a HTTP/1 header field. This is more permissive than allowed by the RFC and other servers routinely reject such requests with 400 responses. There is no known exploit scenario, but it is conceivable that request smuggling could result if jetty is used in combination with a server that does not close the connection after sending such a 400 response. Versions 9.4.52, 10.0.16, 11.0.16, and 12.0.1 contain a patch for this issue. There is no workaround as there is no known exploit scenario.

References

Affected packages

Debian:11 / jetty9

Package

Name: jetty9
Purl: pkg:deb/debian/jetty9?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

9.4.39-3+deb11u2

Affected versions

9.*

9.4.39-3

9.4.39-3+deb11u1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / jetty9

Package

Name: jetty9
Purl: pkg:deb/debian/jetty9?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

9.4.50-4+deb12u1

Affected versions

9.*

9.4.50-4

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / jetty9

Package

Name: jetty9
Purl: pkg:deb/debian/jetty9?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

9.4.52-1

Affected versions

9.*

9.4.50-4

9.4.51-1

9.4.51-2

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Git / github.com/eclipse/jetty.project

Affected ranges

Type: GIT
Repo: https://github.com/eclipse/jetty.project
Events: Introduced

1237b739c787a75a5f9e1f495b3f2c8284761499

Fixed

abdcda73818a1a2c705da276edb0bf6581e7997e

Type: GIT
Repo: https://github.com/jetty/jetty.project
Events: Introduced

b9645a17373e4e9b7f30b6c0a07defcea2cb660b

Fixed

a2735a9ae9d1afc124974253f1e223e5678be1f4

Affected versions

jetty-10.*

jetty-10.0.0

jetty-10.0.1

jetty-10.0.13

jetty-10.0.15

jetty-10.0.2

jetty-10.0.4

jetty-10.0.5

jetty-10.0.6

jetty-10.0.7

jetty-10.0.8

jetty-7.*

jetty-7.6.10.v20130312

jetty-7.6.11.v20130520

jetty-7.6.11.v20130725

jetty-7.6.12.v20130726

jetty-7.6.13.v20130910

jetty-7.6.6.v20120903

jetty-7.6.7.v20120910

jetty-7.6.8.v20121106

jetty-7.6.9.v20130131

jetty-8.*

jetty-8.1.10.v20130312

jetty-8.1.11.v20130520

jetty-8.1.12.v20130725

jetty-8.1.12.v20130726

jetty-8.1.13.v20130910

jetty-8.1.13.v20130916

jetty-8.1.6.v20120903

jetty-8.1.7.v20120910

jetty-8.1.8.v20121106

jetty-8.1.9.v20130131

jetty-9.*

jetty-9.0.0.M0

jetty-9.0.0.M1

jetty-9.0.0.M2

jetty-9.0.0.M3

jetty-9.0.0.M4

jetty-9.0.0.M5

jetty-9.0.0.RC0

jetty-9.0.0.RC1

jetty-9.0.0.RC2

jetty-9.0.0.RC3

jetty-9.0.0.v20130308

jetty-9.0.1.v20130408

jetty-9.0.2.v20130417

jetty-9.0.2.v20140415

jetty-9.0.3.v20130506

jetty-9.0.4.v20130621

jetty-9.0.4.v20130625

jetty-9.0.5.v20130813

jetty-9.0.5.v20130815

jetty-9.0.6.v20130919

jetty-9.0.6.v20130930

jetty-9.0.7.v20131031

jetty-9.0.7.v20131107

jetty-9.0.x

jetty-9.1.0.M0

jetty-9.1.0.RC0

jetty-9.1.0.RC1

jetty-9.1.0.RC2

jetty-9.1.0.v20131115

jetty-9.1.1.v20140108

jetty-9.1.2.v20140210

jetty-9.1.3.v20140225

jetty-9.1.4.v20140401

jetty-9.2.0.M0

jetty-9.2.0.M1

jetty-9.2.0.RC0

jetty-9.2.0.v20140523

jetty-9.2.0.v20140526

jetty-9.2.1.v20140609

jetty-9.2.10.v20150310

jetty-9.2.11.M0

jetty-9.2.11.v20150528

jetty-9.2.11.v20150529

jetty-9.2.12.M0

jetty-9.2.12.v20150709

jetty-9.2.13.v20150730

jetty-9.2.14.v20151106

jetty-9.2.15.v20160210

jetty-9.2.16.v20160414

jetty-9.2.17.v20160517

jetty-9.2.18.v20160721

jetty-9.2.19.v20160908

jetty-9.2.2.v20140723

jetty-9.2.20.v20161216

jetty-9.2.21.v20170120

jetty-9.2.22.v20170606

jetty-9.2.23.v20171218

jetty-9.2.24.v20180105

jetty-9.2.25.v20180606

jetty-9.2.26.v20180806

jetty-9.2.27.v20190403

jetty-9.2.28.v20190418

jetty-9.2.29.v20191105

jetty-9.2.3.v20140905

jetty-9.2.4.v20141103

jetty-9.2.5.v20141112

jetty-9.2.6.v20141203

jetty-9.2.6.v20141205

jetty-9.2.7.v20150116

jetty-9.2.8.v20150217

jetty-9.2.9.v20150224

jetty-9.3.0.M0

jetty-9.3.0.v20150612

jetty-9.3.1.v20150714

jetty-9.3.10.M0

jetty-9.3.10.v20160621

jetty-9.3.11.M0

jetty-9.3.11.v20160721

jetty-9.3.12.v20160915

jetty-9.3.13.M0

jetty-9.3.13.v20161014

jetty-9.3.14.v20161028

jetty-9.3.15.v20161220

jetty-9.3.16.v20170120

jetty-9.3.17.v20170317

jetty-9.3.18.v20170406

jetty-9.3.19.v20170502

jetty-9.3.20.v20170531

jetty-9.3.21.M0

jetty-9.3.21.v20170918

jetty-9.3.22.v20171030

jetty-9.3.23.v20180228

jetty-9.3.24.v20180605

jetty-9.3.25.v20180904

jetty-9.3.26.v20190403

jetty-9.3.27.v20190418

jetty-9.3.28.v20191105

jetty-9.3.3.v20150825

jetty-9.3.3.v20150827

jetty-9.3.4.v20151007

jetty-9.3.5.v20151012

jetty-9.3.6.v20151106

jetty-9.3.7.RC0

jetty-9.3.7.RC1

jetty-9.3.7.v20160115

jetty-9.3.8.RC0

jetty-9.3.8.v20160314

jetty-9.3.9.M1

jetty-9.3.9.v20160517

jetty-9.4.0.M1

jetty-9.4.0.RC0

jetty-9.4.0.RC1

jetty-9.4.0.RC2

jetty-9.4.0.RC3

jetty-9.4.0.v20161207

jetty-9.4.0.v20161208

jetty-9.4.1.v20170120

jetty-9.4.10.v20180503

jetty-9.4.11.v20180605

jetty-9.4.12.v20180830

jetty-9.4.13.v20181111

jetty-9.4.14.v20181114

jetty-9.4.15.v20190215

jetty-9.4.16.v20190411

jetty-9.4.17.v20190418

jetty-9.4.18.v20190429

jetty-9.4.19.v20190610

jetty-9.4.2.v20170220

jetty-9.4.20.v20190813

jetty-9.4.21.v20190926

jetty-9.4.22.v20191022

jetty-9.4.23.v20191118

jetty-9.4.24.v20191120

jetty-9.4.25.v20191220

jetty-9.4.26.v20200117

jetty-9.4.27.v20200227

jetty-9.4.28.v20200408

jetty-9.4.29.v20200521

jetty-9.4.3.v20170317

jetty-9.4.30.v20200611

jetty-9.4.31.v20200723

jetty-9.4.32.v20200930

jetty-9.4.33.v20201020

jetty-9.4.34.v20201102

jetty-9.4.35.v20201120

jetty-9.4.36.v20210114

jetty-9.4.37.v20210219

jetty-9.4.38.v20210224

jetty-9.4.39.v20210325

jetty-9.4.4.v20170414

jetty-9.4.40.v20210413

jetty-9.4.42.v20210604

jetty-9.4.43.v20210629

jetty-9.4.44.v20210927

jetty-9.4.45.v20220203

jetty-9.4.5.v20170502

jetty-9.4.50.v20221201

jetty-9.4.6.v20170531

jetty-9.4.7.v20170914

jetty-9.4.8.v20171121

jetty-9.4.9.v20180320