PT-2023-8842 · Eclipse+4 · Jetty+4

Mukeran

Publicado

2023-09-14

Atualizado

2026-05-18

CVE-2023-40167

CVSS v3.1

5.3

Média

Vetor

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Name of the Vulnerable Software and Affected Versions Jetty versions prior to 9.4.52 Jetty versions prior to 10.0.16 Jetty versions prior to 11.0.16 Jetty versions prior to 12.0.1

Description Jetty is a Java-based web server and servlet engine. It accepts the + character proceeding the content-length value in a HTTP/1 header field, which is more permissive than allowed by the RFC. Other servers routinely reject such requests with 400 responses. There is no known exploit scenario, but it is conceivable that request smuggling could result if Jetty is used in combination with a server that does not close the connection after sending such a 400 response.

Recommendations Update to version 9.4.52 or later Update to version 10.0.16 or later Update to version 11.0.16 or later Update to version 12.0.1 or later

Exploit

Correção

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-130

Identificadores relacionados

ALSA-2025_16880

ALT-PU-2024-16002

ALT-PU-2024-16022

ALT-PU-2024-16072

BDU:2024-02254

CLEANSTART-2026-SQ91016

CLEANSTART-2026-WK99982

CVE-2023-40167

DLA-3592-1

DSA-5507-1

GHSA-HMR7-M48G-48F6

OESA-2024-2268

OESA-2024-2297

OESA-2024-2298

OESA-2024-2299

OESA-2024-2300

OPENSUSE-SU-2023_4210-1

OPENSUSE-SU-2024:13329-1

RHSA-2024:0778

RHSA-2024:0797

RHSA-2024:2010

SUSE-SU-2023:4210-1

Produtos afetados

Alt Linux

Astra Linux

Jetty

Red Os

Suse

PT-2023-8842 · Eclipse+4 · Jetty+4

CVE-2023-40167

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 188