CVE-2023-40167

Jetty accepts "+" prefixed value in Content-Length

Severity Score

5.3

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Attend

*SSVC

Descriptions

Jetty is a Java based web server and servlet engine. Prior to versions 9.4.52, 10.0.16, 11.0.16, and 12.0.1, Jetty accepts the `+` character proceeding the content-length value in a HTTP/1 header field. This is more permissive than allowed by the RFC and other servers routinely reject such requests with 400 responses. There is no known exploit scenario, but it is conceivable that request smuggling could result if jetty is used in combination with a server that does not close the connection after sending such a 400 response. Versions 9.4.52, 10.0.16, 11.0.16, and 12.0.1 contain a patch for this issue. There is no workaround as there is no known exploit scenario.

Jetty es un servidor web y motor de servlet basado en Java. Antes de las versiones 9.4.52, 10.0.16, 11.0.16 y 12.0.1, Jetty acepta el carácter `+` que precede al valor de longitud del contenido en un campo de encabezado HTTP/1. Esto es más permisivo de lo que permite el RFC y otros servidores rechazan habitualmente este tipo de solicitudes con 400 respuestas. No se conoce ningún escenario de explotación, pero es posible que se produzca contrabando de solicitudes si se utiliza jetty en combinación con un servidor que no cierra la conexión después de enviar dicha respuesta 400. Las versiones 9.4.52, 10.0.16, 11.0.16 y 12.0.1 contienen un parche para este problema. No existe ningún workaround ya que no se conoce ningún escenario de explotación.

A flaw was found in Jetty that permits a plus sign (+) preceding the content-length value in a HTTP/1 header field, which is non-standard and more permissive than RFC. This issue could allow an attacker to request smuggling in conjunction with a server that does not close connections after 400 responses.

*Credits: N/A

CVSS Scores

NISTv3.1 5.3

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

Low

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:Attend

Exploitation

None

Automatable

Yes

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2023-08-09 CVE Reserved
2023-09-15 CVE Published
2024-09-25 CVE Updated
2024-10-17 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-130: Improper Handling of Length Parameter Inconsistency

CAPEC

References (6)

URL	Tag	Source
https://lists.debian.org/debian-lts-announce/2023/09/msg00039.html	Mailing List
https://www.debian.org/security/2023/dsa-5507	Third Party Advisory
https://www.rfc-editor.org/rfc/rfc9110#section-8.6	Technical Description

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
https://github.com/eclipse/jetty.project/security/advisories/GHSA-hmr7-m48g-48f6	2023-10-13
https://access.redhat.com/security/cve/CVE-2023-40167	2024-05-23
https://bugzilla.redhat.com/show_bug.cgi?id=2239634	2024-05-23

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Eclipse Search vendor "Eclipse"		Jetty Search vendor "Eclipse" for product "Jetty"				>= 9.0.0 < 9.4.52 Search vendor "Eclipse" for product "Jetty" and version " >= 9.0.0 < 9.4.52"		-		Affected
Eclipse Search vendor "Eclipse"		Jetty Search vendor "Eclipse" for product "Jetty"				>= 10.0.0 < 10.0.16 Search vendor "Eclipse" for product "Jetty" and version " >= 10.0.0 < 10.0.16"		-		Affected
Eclipse Search vendor "Eclipse"		Jetty Search vendor "Eclipse" for product "Jetty"				>= 11.0.0 < 11.0.16 Search vendor "Eclipse" for product "Jetty" and version " >= 11.0.0 < 11.0.16"		-		Affected
Eclipse Search vendor "Eclipse"		Jetty Search vendor "Eclipse" for product "Jetty"				12.0.0 Search vendor "Eclipse" for product "Jetty" and version "12.0.0"		-		Affected
Eclipse Search vendor "Eclipse"		Jetty Search vendor "Eclipse" for product "Jetty"				12.0.0 Search vendor "Eclipse" for product "Jetty" and version "12.0.0"		beta0		Affected
Eclipse Search vendor "Eclipse"		Jetty Search vendor "Eclipse" for product "Jetty"				12.0.0 Search vendor "Eclipse" for product "Jetty" and version "12.0.0"		beta1		Affected
Eclipse Search vendor "Eclipse"		Jetty Search vendor "Eclipse" for product "Jetty"				12.0.0 Search vendor "Eclipse" for product "Jetty" and version "12.0.0"		beta2		Affected
Eclipse Search vendor "Eclipse"		Jetty Search vendor "Eclipse" for product "Jetty"				12.0.0 Search vendor "Eclipse" for product "Jetty" and version "12.0.0"		beta3		Affected
Eclipse Search vendor "Eclipse"		Jetty Search vendor "Eclipse" for product "Jetty"				12.0.0 Search vendor "Eclipse" for product "Jetty" and version "12.0.0"		beta4		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				10.0 Search vendor "Debian" for product "Debian Linux" and version "10.0"		-		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				11.0 Search vendor "Debian" for product "Debian Linux" and version "11.0"		-		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				12.0 Search vendor "Debian" for product "Debian Linux" and version "12.0"		-		Affected