PT-2023-8842 · Eclipse+4 · Jetty+4

Mukeran

Published

2023-09-14

Updated

2026-05-18

CVE-2023-40167

CVSS v3.1

5.3

Medium

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Name of the Vulnerable Software and Affected Versions Jetty versions prior to 9.4.52 Jetty versions prior to 10.0.16 Jetty versions prior to 11.0.16 Jetty versions prior to 12.0.1

Description Jetty is a Java-based web server and servlet engine. It accepts the + character proceeding the content-length value in a HTTP/1 header field, which is more permissive than allowed by the RFC. Other servers routinely reject such requests with 400 responses. There is no known exploit scenario, but it is conceivable that request smuggling could result if Jetty is used in combination with a server that does not close the connection after sending such a 400 response.

Recommendations Update to version 9.4.52 or later Update to version 10.0.16 or later Update to version 11.0.16 or later Update to version 12.0.1 or later

Exploit

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-130

Related Identifiers

ALSA-2025_16880

ALT-PU-2024-16002

ALT-PU-2024-16022

ALT-PU-2024-16072

BDU:2024-02254

CLEANSTART-2026-SQ91016

CLEANSTART-2026-WK99982

CVE-2023-40167

DLA-3592-1

DSA-5507-1

GHSA-HMR7-M48G-48F6

OESA-2024-2268

OESA-2024-2297

OESA-2024-2298

OESA-2024-2299

OESA-2024-2300

OPENSUSE-SU-2023_4210-1

OPENSUSE-SU-2024:13329-1

RHSA-2024:0778

RHSA-2024:0797

RHSA-2024:2010

SUSE-SU-2023:4210-1

Affected Products

Alt Linux

Astra Linux

Jetty

Red Os

Suse

PT-2023-8842 · Eclipse+4 · Jetty+4

CVE-2023-40167

Weakness Enumeration

Related Identifiers

Affected Products

References · 188