CVE-2023-40167

Jetty is a Java based web server and servlet engine. Prior to versions 9.4.52, 10.0.16, 11.0.16, and 12.0.1, Jetty accepts the `+` character proceeding the content-length value in a HTTP/1 header field.  This is more permissive than allowed by the RFC and other servers routinely reject such requests with 400 responses.  There is no known exploit scenario, but it is conceivable that request smuggling could result if jetty is used in combination with a server that does not close the connection after sending such a 400 response. Versions 9.4.52, 10.0.16, 11.0.16, and 12.0.1 contain a patch for this issue. There is no workaround as there is no known exploit scenario.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
5.3 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 61%
Affected Products (NVD)
VendorProductVersion
eclipsejetty
9.0.0 ≤
𝑥
< 9.4.52
eclipsejetty
10.0.0 ≤
𝑥
< 10.0.16
eclipsejetty
11.0.0 ≤
𝑥
< 11.0.16
eclipsejetty
12.0.0
eclipsejetty
12.0.0:beta0
eclipsejetty
12.0.0:beta1
eclipsejetty
12.0.0:beta2
eclipsejetty
12.0.0:beta3
eclipsejetty
12.0.0:beta4
debiandebian_linux
10.0
debiandebian_linux
11.0
debiandebian_linux
12.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
jetty9
bookworm
9.4.50-4+deb12u3
fixed
bookworm (security)
9.4.50-4+deb12u3
fixed
bullseye
9.4.50-4+deb11u2
fixed
bullseye (security)
9.4.50-4+deb11u2
fixed
sid
9.4.56-1
fixed
trixie
9.4.56-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
jetty9
bionic
needs-triage
focal
needs-triage
jammy
needs-triage
lunar
ignored
mantic
ignored
noble
needs-triage
oracular
needs-triage
trusty
ignored
xenial
needs-triage
openSUSE logo
openSUSE / SLES Releases
openSUSE Product
Release
jetty-http
suse enterprise desktop 15 SP4
9.4.53-150200.3.22.1
fixed
suse enterprise desktop 15 SP5
9.4.53-150200.3.22.1
fixed
suse enterprise desktop 15 SP6
9.4.53-150200.3.22.1
fixed
suse enterprise desktop 15 SP7
9.4.53-150200.3.22.1
fixed
suse enterprise sap 15 SP2
9.4.53-150200.3.22.1
fixed
suse enterprise sap 15 SP3
9.4.53-150200.3.22.1
fixed
suse enterprise sap 15 SP4
9.4.53-150200.3.22.1
fixed
suse enterprise sap 15 SP5
9.4.53-150200.3.22.1
fixed
suse enterprise sap 15 SP6
9.4.53-150200.3.22.1
fixed
suse enterprise sap 15 SP7
9.4.53-150200.3.22.1
fixed
suse enterprise server 15 SP2
9.4.53-150200.3.22.1
fixed
suse enterprise server 15 SP3
9.4.53-150200.3.22.1
fixed
suse enterprise server 15 SP4
9.4.53-150200.3.22.1
fixed
suse enterprise server 15 SP5
9.4.53-150200.3.22.1
fixed
suse enterprise server 15 SP6
9.4.53-150200.3.22.1
fixed
suse enterprise server 15 SP7
9.4.53-150200.3.22.1
fixed
jetty-io
suse enterprise desktop 15 SP4
9.4.53-150200.3.22.1
fixed
suse enterprise desktop 15 SP5
9.4.53-150200.3.22.1
fixed
suse enterprise desktop 15 SP6
9.4.53-150200.3.22.1
fixed
suse enterprise desktop 15 SP7
9.4.53-150200.3.22.1
fixed
suse enterprise sap 15 SP2
9.4.53-150200.3.22.1
fixed
suse enterprise sap 15 SP3
9.4.53-150200.3.22.1
fixed
suse enterprise sap 15 SP4
9.4.53-150200.3.22.1
fixed
suse enterprise sap 15 SP5
9.4.53-150200.3.22.1
fixed
suse enterprise sap 15 SP6
9.4.53-150200.3.22.1
fixed
suse enterprise sap 15 SP7
9.4.53-150200.3.22.1
fixed
suse enterprise server 15 SP2
9.4.53-150200.3.22.1
fixed
suse enterprise server 15 SP3
9.4.53-150200.3.22.1
fixed
suse enterprise server 15 SP4
9.4.53-150200.3.22.1
fixed
suse enterprise server 15 SP5
9.4.53-150200.3.22.1
fixed
suse enterprise server 15 SP6
9.4.53-150200.3.22.1
fixed
suse enterprise server 15 SP7
9.4.53-150200.3.22.1
fixed
jetty-security
suse enterprise desktop 15 SP4
9.4.53-150200.3.22.1
fixed
suse enterprise desktop 15 SP5
9.4.53-150200.3.22.1
fixed
suse enterprise desktop 15 SP6
9.4.53-150200.3.22.1
fixed
suse enterprise desktop 15 SP7
9.4.53-150200.3.22.1
fixed
suse enterprise sap 15 SP2
9.4.53-150200.3.22.1
fixed
suse enterprise sap 15 SP3
9.4.53-150200.3.22.1
fixed
suse enterprise sap 15 SP4
9.4.53-150200.3.22.1
fixed
suse enterprise sap 15 SP5
9.4.53-150200.3.22.1
fixed
suse enterprise sap 15 SP6
9.4.53-150200.3.22.1
fixed
suse enterprise sap 15 SP7
9.4.53-150200.3.22.1
fixed
suse enterprise server 15 SP2
9.4.53-150200.3.22.1
fixed
suse enterprise server 15 SP3
9.4.53-150200.3.22.1
fixed
suse enterprise server 15 SP4
9.4.53-150200.3.22.1
fixed
suse enterprise server 15 SP5
9.4.53-150200.3.22.1
fixed
suse enterprise server 15 SP6
9.4.53-150200.3.22.1
fixed
suse enterprise server 15 SP7
9.4.53-150200.3.22.1
fixed
jetty-server
suse enterprise desktop 15 SP4
9.4.53-150200.3.22.1
fixed
suse enterprise desktop 15 SP5
9.4.53-150200.3.22.1
fixed
suse enterprise desktop 15 SP6
9.4.53-150200.3.22.1
fixed
suse enterprise desktop 15 SP7
9.4.53-150200.3.22.1
fixed
suse enterprise sap 15 SP2
9.4.53-150200.3.22.1
fixed
suse enterprise sap 15 SP3
9.4.53-150200.3.22.1
fixed
suse enterprise sap 15 SP4
9.4.53-150200.3.22.1
fixed
suse enterprise sap 15 SP5
9.4.53-150200.3.22.1
fixed
suse enterprise sap 15 SP6
9.4.53-150200.3.22.1
fixed
suse enterprise sap 15 SP7
9.4.53-150200.3.22.1
fixed
suse enterprise server 15 SP2
9.4.53-150200.3.22.1
fixed
suse enterprise server 15 SP3
9.4.53-150200.3.22.1
fixed
suse enterprise server 15 SP4
9.4.53-150200.3.22.1
fixed
suse enterprise server 15 SP5
9.4.53-150200.3.22.1
fixed
suse enterprise server 15 SP6
9.4.53-150200.3.22.1
fixed
suse enterprise server 15 SP7
9.4.53-150200.3.22.1
fixed
jetty-servlet
suse enterprise desktop 15 SP4
9.4.53-150200.3.22.1
fixed
suse enterprise desktop 15 SP5
9.4.53-150200.3.22.1
fixed
suse enterprise desktop 15 SP6
9.4.53-150200.3.22.1
fixed
suse enterprise desktop 15 SP7
9.4.53-150200.3.22.1
fixed
suse enterprise sap 15 SP2
9.4.53-150200.3.22.1
fixed
suse enterprise sap 15 SP3
9.4.53-150200.3.22.1
fixed
suse enterprise sap 15 SP4
9.4.53-150200.3.22.1
fixed
suse enterprise sap 15 SP5
9.4.53-150200.3.22.1
fixed
suse enterprise sap 15 SP6
9.4.53-150200.3.22.1
fixed
suse enterprise sap 15 SP7
9.4.53-150200.3.22.1
fixed
suse enterprise server 15 SP2
9.4.53-150200.3.22.1
fixed
suse enterprise server 15 SP3
9.4.53-150200.3.22.1
fixed
suse enterprise server 15 SP4
9.4.53-150200.3.22.1
fixed
suse enterprise server 15 SP5
9.4.53-150200.3.22.1
fixed
suse enterprise server 15 SP6
9.4.53-150200.3.22.1
fixed
suse enterprise server 15 SP7
9.4.53-150200.3.22.1
fixed
jetty-util
suse enterprise desktop 15 SP4
9.4.53-150200.3.22.1
fixed
suse enterprise desktop 15 SP5
9.4.53-150200.3.22.1
fixed
suse enterprise desktop 15 SP6
9.4.53-150200.3.22.1
fixed
suse enterprise desktop 15 SP7
9.4.53-150200.3.22.1
fixed
suse enterprise sap 15 SP2
9.4.53-150200.3.22.1
fixed
suse enterprise sap 15 SP3
9.4.53-150200.3.22.1
fixed
suse enterprise sap 15 SP4
9.4.53-150200.3.22.1
fixed
suse enterprise sap 15 SP5
9.4.53-150200.3.22.1
fixed
suse enterprise sap 15 SP6
9.4.53-150200.3.22.1
fixed
suse enterprise sap 15 SP7
9.4.53-150200.3.22.1
fixed
suse enterprise server 15 SP2
9.4.53-150200.3.22.1
fixed
suse enterprise server 15 SP3
9.4.53-150200.3.22.1
fixed
suse enterprise server 15 SP4
9.4.53-150200.3.22.1
fixed
suse enterprise server 15 SP5
9.4.53-150200.3.22.1
fixed
suse enterprise server 15 SP6
9.4.53-150200.3.22.1
fixed
suse enterprise server 15 SP7
9.4.53-150200.3.22.1
fixed
jetty-util-ajax
suse enterprise desktop 15 SP4
9.4.53-150200.3.22.1
fixed
suse enterprise desktop 15 SP5
9.4.53-150200.3.22.1
fixed
suse enterprise desktop 15 SP6
9.4.53-150200.3.22.1
fixed
suse enterprise desktop 15 SP7
9.4.53-150200.3.22.1
fixed
suse enterprise sap 15 SP2
9.4.53-150200.3.22.1
fixed
suse enterprise sap 15 SP3
9.4.53-150200.3.22.1
fixed
suse enterprise sap 15 SP4
9.4.53-150200.3.22.1
fixed
suse enterprise sap 15 SP5
9.4.53-150200.3.22.1
fixed
suse enterprise sap 15 SP6
9.4.53-150200.3.22.1
fixed
suse enterprise sap 15 SP7
9.4.53-150200.3.22.1
fixed
suse enterprise server 15 SP2
9.4.53-150200.3.22.1
fixed
suse enterprise server 15 SP3
9.4.53-150200.3.22.1
fixed
suse enterprise server 15 SP4
9.4.53-150200.3.22.1
fixed
suse enterprise server 15 SP5
9.4.53-150200.3.22.1
fixed
suse enterprise server 15 SP6
9.4.53-150200.3.22.1
fixed
suse enterprise server 15 SP7
9.4.53-150200.3.22.1
fixed
Amazon Linux logo
Amazon Linux Releases
Amazon Package
Release
jetty-annotations
Amazon Linux 2
0:9.0.3-8.amzn2.0.3
fixed
jetty-ant
Amazon Linux 2
0:9.0.3-8.amzn2.0.3
fixed
jetty-client
Amazon Linux 2
0:9.0.3-8.amzn2.0.3
fixed
jetty-continuation
Amazon Linux 2
0:9.0.3-8.amzn2.0.3
fixed
jetty-deploy
Amazon Linux 2
0:9.0.3-8.amzn2.0.3
fixed
jetty-http
Amazon Linux 2
0:9.0.3-8.amzn2.0.3
fixed
jetty-io
Amazon Linux 2
0:9.0.3-8.amzn2.0.3
fixed
jetty-jaas
Amazon Linux 2
0:9.0.3-8.amzn2.0.3
fixed
jetty-jaspi
Amazon Linux 2
0:9.0.3-8.amzn2.0.3
fixed
jetty-javadoc
Amazon Linux 2
0:9.0.3-8.amzn2.0.3
fixed
jetty-jmx
Amazon Linux 2
0:9.0.3-8.amzn2.0.3
fixed
jetty-jndi
Amazon Linux 2
0:9.0.3-8.amzn2.0.3
fixed
jetty-jsp
Amazon Linux 2
0:9.0.3-8.amzn2.0.3
fixed
jetty-jspc-maven-plugin
Amazon Linux 2
0:9.0.3-8.amzn2.0.3
fixed
jetty-maven-plugin
Amazon Linux 2
0:9.0.3-8.amzn2.0.3
fixed
jetty-monitor
Amazon Linux 2
0:9.0.3-8.amzn2.0.3
fixed
jetty-plus
Amazon Linux 2
0:9.0.3-8.amzn2.0.3
fixed
jetty-project
Amazon Linux 2
0:9.0.3-8.amzn2.0.3
fixed
jetty-proxy
Amazon Linux 2
0:9.0.3-8.amzn2.0.3
fixed
jetty-rewrite
Amazon Linux 2
0:9.0.3-8.amzn2.0.3
fixed
jetty-runner
Amazon Linux 2
0:9.0.3-8.amzn2.0.3
fixed
jetty-security
Amazon Linux 2
0:9.0.3-8.amzn2.0.3
fixed
jetty-server
Amazon Linux 2
0:9.0.3-8.amzn2.0.3
fixed
jetty-servlet
Amazon Linux 2
0:9.0.3-8.amzn2.0.3
fixed
jetty-servlets
Amazon Linux 2
0:9.0.3-8.amzn2.0.3
fixed
jetty-start
Amazon Linux 2
0:9.0.3-8.amzn2.0.3
fixed
jetty-util
Amazon Linux 2
0:9.0.3-8.amzn2.0.3
fixed
jetty-util-ajax
Amazon Linux 2
0:9.0.3-8.amzn2.0.3
fixed
jetty-webapp
Amazon Linux 2
0:9.0.3-8.amzn2.0.3
fixed
jetty-websocket-api
Amazon Linux 2
0:9.0.3-8.amzn2.0.3
fixed
jetty-websocket-client
Amazon Linux 2
0:9.0.3-8.amzn2.0.3
fixed
jetty-websocket-common
Amazon Linux 2
0:9.0.3-8.amzn2.0.3
fixed
jetty-websocket-parent
Amazon Linux 2
0:9.0.3-8.amzn2.0.3
fixed
jetty-websocket-server
Amazon Linux 2
0:9.0.3-8.amzn2.0.3
fixed
jetty-websocket-servlet
Amazon Linux 2
0:9.0.3-8.amzn2.0.3
fixed
jetty-xml
Amazon Linux 2
0:9.0.3-8.amzn2.0.3
fixed