VYPR
Moderate severityNVD Advisory· Published Sep 15, 2023· Updated Feb 13, 2025

Jetty accepts "+" prefixed value in Content-Length

CVE-2023-40167

Description

Jetty is a Java based web server and servlet engine. Prior to versions 9.4.52, 10.0.16, 11.0.16, and 12.0.1, Jetty accepts the + character proceeding the content-length value in a HTTP/1 header field. This is more permissive than allowed by the RFC and other servers routinely reject such requests with 400 responses. There is no known exploit scenario, but it is conceivable that request smuggling could result if jetty is used in combination with a server that does not close the connection after sending such a 400 response. Versions 9.4.52, 10.0.16, 11.0.16, and 12.0.1 contain a patch for this issue. There is no workaround as there is no known exploit scenario.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
org.eclipse.jetty:jetty-httpMaven
>= 9.0.0, < 9.4.529.4.52
org.eclipse.jetty:jetty-httpMaven
>= 10.0.0, < 10.0.1610.0.16
org.eclipse.jetty:jetty-httpMaven
>= 11.0.0, < 11.0.1611.0.16
org.eclipse.jetty:jetty-httpMaven
>= 12.0.0, < 12.0.112.0.1

Affected products

26

Patches

Vulnerability mechanics

References

6

News mentions

0

No linked articles in our index yet.