CVE-2023-40167

Jetty is a Java based web server and servlet engine. Prior to versions 9.4.52, 10.0.16, 11.0.16, and 12.0.1, Jetty accepts the `+` character proceeding the content-length value in a HTTP/1 header field.  This is more permissive than allowed by the RFC and other servers routinely reject such requests with 400 responses.  There is no known exploit scenario, but it is conceivable that request smuggling could result if jetty is used in combination with a server that does not close the connection after sending such a 400 response. Versions 9.4.52, 10.0.16, 11.0.16, and 12.0.1 contain a patch for this issue. There is no workaround as there is no known exploit scenario.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
5.3 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 89%
Affected Products (NVD)
VendorProductVersion
eclipsejetty
9.0.0 ≤
𝑥
< 9.4.52
eclipsejetty
10.0.0 ≤
𝑥
< 10.0.16
eclipsejetty
11.0.0 ≤
𝑥
< 11.0.16
eclipsejetty
12.0.0
eclipsejetty
12.0.0:beta0
eclipsejetty
12.0.0:beta1
eclipsejetty
12.0.0:beta2
eclipsejetty
12.0.0:beta3
eclipsejetty
12.0.0:beta4
debiandebian_linux
10.0
debiandebian_linux
11.0
debiandebian_linux
12.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
jetty9
bookworm
9.4.50-4+deb12u3
fixed
bookworm (security)
9.4.50-4+deb12u3
fixed
bullseye
9.4.50-4+deb11u2
fixed
bullseye (security)
9.4.50-4+deb11u2
fixed
sid
9.4.56-1
fixed
trixie
9.4.56-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
jetty9
bionic
needs-triage
focal
needs-triage
jammy
needs-triage
lunar
ignored
mantic
ignored
noble
needs-triage
oracular
needs-triage
trusty
ignored
xenial
needs-triage
openSUSE logo
openSUSE / SLES Releases
openSUSE Product
Release
jetty-http
suse enterprise desktop 15 SP4
9.4.53-150200.3.22.1
fixed
suse enterprise desktop 15 SP5
9.4.53-150200.3.22.1
fixed
suse enterprise desktop 15 SP6
9.4.53-150200.3.22.1
fixed
suse enterprise desktop 15 SP7
9.4.53-150200.3.22.1
fixed
suse enterprise sap 15 SP2
9.4.53-150200.3.22.1
fixed
suse enterprise sap 15 SP3
9.4.53-150200.3.22.1
fixed
suse enterprise sap 15 SP4
9.4.53-150200.3.22.1
fixed
suse enterprise sap 15 SP5
9.4.53-150200.3.22.1
fixed
suse enterprise sap 15 SP6
9.4.53-150200.3.22.1
fixed
suse enterprise sap 15 SP7
9.4.53-150200.3.22.1
fixed
suse enterprise server 15 SP2
9.4.53-150200.3.22.1
fixed
suse enterprise server 15 SP3
9.4.53-150200.3.22.1
fixed
suse enterprise server 15 SP4
9.4.53-150200.3.22.1
fixed
suse enterprise server 15 SP5
9.4.53-150200.3.22.1
fixed
suse enterprise server 15 SP6
9.4.53-150200.3.22.1
fixed
suse enterprise server 15 SP7
9.4.53-150200.3.22.1
fixed
jetty-io
suse enterprise desktop 15 SP4
9.4.53-150200.3.22.1
fixed
suse enterprise desktop 15 SP5
9.4.53-150200.3.22.1
fixed
suse enterprise desktop 15 SP6
9.4.53-150200.3.22.1
fixed
suse enterprise desktop 15 SP7
9.4.53-150200.3.22.1
fixed
suse enterprise sap 15 SP2
9.4.53-150200.3.22.1
fixed
suse enterprise sap 15 SP3
9.4.53-150200.3.22.1
fixed
suse enterprise sap 15 SP4
9.4.53-150200.3.22.1
fixed
suse enterprise sap 15 SP5
9.4.53-150200.3.22.1
fixed
suse enterprise sap 15 SP6
9.4.53-150200.3.22.1
fixed
suse enterprise sap 15 SP7
9.4.53-150200.3.22.1
fixed
suse enterprise server 15 SP2
9.4.53-150200.3.22.1
fixed
suse enterprise server 15 SP3
9.4.53-150200.3.22.1
fixed
suse enterprise server 15 SP4
9.4.53-150200.3.22.1
fixed
suse enterprise server 15 SP5
9.4.53-150200.3.22.1
fixed
suse enterprise server 15 SP6
9.4.53-150200.3.22.1
fixed
suse enterprise server 15 SP7
9.4.53-150200.3.22.1
fixed
jetty-security
suse enterprise desktop 15 SP4
9.4.53-150200.3.22.1
fixed
suse enterprise desktop 15 SP5
9.4.53-150200.3.22.1
fixed
suse enterprise desktop 15 SP6
9.4.53-150200.3.22.1
fixed
suse enterprise desktop 15 SP7
9.4.53-150200.3.22.1
fixed
suse enterprise sap 15 SP2
9.4.53-150200.3.22.1
fixed
suse enterprise sap 15 SP3
9.4.53-150200.3.22.1
fixed
suse enterprise sap 15 SP4
9.4.53-150200.3.22.1
fixed
suse enterprise sap 15 SP5
9.4.53-150200.3.22.1
fixed
suse enterprise sap 15 SP6
9.4.53-150200.3.22.1
fixed
suse enterprise sap 15 SP7
9.4.53-150200.3.22.1
fixed
suse enterprise server 15 SP2
9.4.53-150200.3.22.1
fixed
suse enterprise server 15 SP3
9.4.53-150200.3.22.1
fixed
suse enterprise server 15 SP4
9.4.53-150200.3.22.1
fixed
suse enterprise server 15 SP5
9.4.53-150200.3.22.1
fixed
suse enterprise server 15 SP6
9.4.53-150200.3.22.1
fixed
suse enterprise server 15 SP7
9.4.53-150200.3.22.1
fixed
jetty-server
suse enterprise desktop 15 SP4
9.4.53-150200.3.22.1
fixed
suse enterprise desktop 15 SP5
9.4.53-150200.3.22.1
fixed
suse enterprise desktop 15 SP6
9.4.53-150200.3.22.1
fixed
suse enterprise desktop 15 SP7
9.4.53-150200.3.22.1
fixed
suse enterprise sap 15 SP2
9.4.53-150200.3.22.1
fixed
suse enterprise sap 15 SP3
9.4.53-150200.3.22.1
fixed
suse enterprise sap 15 SP4
9.4.53-150200.3.22.1
fixed
suse enterprise sap 15 SP5
9.4.53-150200.3.22.1
fixed
suse enterprise sap 15 SP6
9.4.53-150200.3.22.1
fixed
suse enterprise sap 15 SP7
9.4.53-150200.3.22.1
fixed
suse enterprise server 15 SP2
9.4.53-150200.3.22.1
fixed
suse enterprise server 15 SP3
9.4.53-150200.3.22.1
fixed
suse enterprise server 15 SP4
9.4.53-150200.3.22.1
fixed
suse enterprise server 15 SP5
9.4.53-150200.3.22.1
fixed
suse enterprise server 15 SP6
9.4.53-150200.3.22.1
fixed
suse enterprise server 15 SP7
9.4.53-150200.3.22.1
fixed
jetty-servlet
suse enterprise desktop 15 SP4
9.4.53-150200.3.22.1
fixed
suse enterprise desktop 15 SP5
9.4.53-150200.3.22.1
fixed
suse enterprise desktop 15 SP6
9.4.53-150200.3.22.1
fixed
suse enterprise desktop 15 SP7
9.4.53-150200.3.22.1
fixed
suse enterprise sap 15 SP2
9.4.53-150200.3.22.1
fixed
suse enterprise sap 15 SP3
9.4.53-150200.3.22.1
fixed
suse enterprise sap 15 SP4
9.4.53-150200.3.22.1
fixed
suse enterprise sap 15 SP5
9.4.53-150200.3.22.1
fixed
suse enterprise sap 15 SP6
9.4.53-150200.3.22.1
fixed
suse enterprise sap 15 SP7
9.4.53-150200.3.22.1
fixed
suse enterprise server 15 SP2
9.4.53-150200.3.22.1
fixed
suse enterprise server 15 SP3
9.4.53-150200.3.22.1
fixed
suse enterprise server 15 SP4
9.4.53-150200.3.22.1
fixed
suse enterprise server 15 SP5
9.4.53-150200.3.22.1
fixed
suse enterprise server 15 SP6
9.4.53-150200.3.22.1
fixed
suse enterprise server 15 SP7
9.4.53-150200.3.22.1
fixed
jetty-util
suse enterprise desktop 15 SP4
9.4.53-150200.3.22.1
fixed
suse enterprise desktop 15 SP5
9.4.53-150200.3.22.1
fixed
suse enterprise desktop 15 SP6
9.4.53-150200.3.22.1
fixed
suse enterprise desktop 15 SP7
9.4.53-150200.3.22.1
fixed
suse enterprise sap 15 SP2
9.4.53-150200.3.22.1
fixed
suse enterprise sap 15 SP3
9.4.53-150200.3.22.1
fixed
suse enterprise sap 15 SP4
9.4.53-150200.3.22.1
fixed
suse enterprise sap 15 SP5
9.4.53-150200.3.22.1
fixed
suse enterprise sap 15 SP6
9.4.53-150200.3.22.1
fixed
suse enterprise sap 15 SP7
9.4.53-150200.3.22.1
fixed
suse enterprise server 15 SP2
9.4.53-150200.3.22.1
fixed
suse enterprise server 15 SP3
9.4.53-150200.3.22.1
fixed
suse enterprise server 15 SP4
9.4.53-150200.3.22.1
fixed
suse enterprise server 15 SP5
9.4.53-150200.3.22.1
fixed
suse enterprise server 15 SP6
9.4.53-150200.3.22.1
fixed
suse enterprise server 15 SP7
9.4.53-150200.3.22.1
fixed
jetty-util-ajax
suse enterprise desktop 15 SP4
9.4.53-150200.3.22.1
fixed
suse enterprise desktop 15 SP5
9.4.53-150200.3.22.1
fixed
suse enterprise desktop 15 SP6
9.4.53-150200.3.22.1
fixed
suse enterprise desktop 15 SP7
9.4.53-150200.3.22.1
fixed
suse enterprise sap 15 SP2
9.4.53-150200.3.22.1
fixed
suse enterprise sap 15 SP3
9.4.53-150200.3.22.1
fixed
suse enterprise sap 15 SP4
9.4.53-150200.3.22.1
fixed
suse enterprise sap 15 SP5
9.4.53-150200.3.22.1
fixed
suse enterprise sap 15 SP6
9.4.53-150200.3.22.1
fixed
suse enterprise sap 15 SP7
9.4.53-150200.3.22.1
fixed
suse enterprise server 15 SP2
9.4.53-150200.3.22.1
fixed
suse enterprise server 15 SP3
9.4.53-150200.3.22.1
fixed
suse enterprise server 15 SP4
9.4.53-150200.3.22.1
fixed
suse enterprise server 15 SP5
9.4.53-150200.3.22.1
fixed
suse enterprise server 15 SP6
9.4.53-150200.3.22.1
fixed
suse enterprise server 15 SP7
9.4.53-150200.3.22.1
fixed
Common Weakness Enumeration
References
https://github.com/eclipse/jetty.project/security/advisories/GHSA-hmr7-m48g-48f6
https://lists.debian.org/debian-lts-announce/2023/09/msg00039.html
https://www.debian.org/security/2023/dsa-5507
https://www.rfc-editor.org/rfc/rfc9110#section-8.6
https://github.com/eclipse/jetty.project/security/advisories/GHSA-hmr7-m48g-48f6
https://lists.debian.org/debian-lts-announce/2023/09/msg00039.html
https://www.debian.org/security/2023/dsa-5507
https://www.rfc-editor.org/rfc/rfc9110#section-8.6