CVE-2023-40167
Published: 15 September 2023
Summary
CVE-2023-40167 is a medium-severity Improper Handling of Length Parameter Inconsistency (CWE-130) vulnerability in Eclipse Jetty. Its CVSS base score is 5.3 (Medium).
Operationally, ranked in the top 10.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
Jetty, an open-source Java web server and servlet container, is affected by a parsing inconsistency in its HTTP/1 handling prior to versions 9.4.52, 10.0.16, 11.0.16, and 12.0.1. The server accepts a leading “+” character in the Content-Length header value, which deviates from RFC 9110 requirements and from the stricter behavior of many other HTTP implementations that respond with a 400 status.
An unauthenticated network attacker could send such a malformed request in an attempt to trigger request-smuggling conditions when Jetty is placed behind or in front of another server that fails to close the connection after issuing a 400 response. Although no concrete exploit scenario has been identified, the permissive parsing could allow an attacker to manipulate request framing and potentially reach protected resources or bypass access controls in certain proxy or load-balanced deployments.
The project’s security advisory and downstream distributions such as Debian advise immediate upgrade to the patched releases; no configuration workaround exists. Public references, including the GitHub advisory GHSA-hmr7-m48g-48f6 and the associated RFC section, document the discrepancy and the fix.
EPSS scores have remained low, with a current value of 0.0457 and a peak of only 0.0553, indicating limited observed exploitation interest since disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-2523
Vulnerability details
Jetty is a Java based web server and servlet engine. Prior to versions 9.4.52, 10.0.16, 11.0.16, and 12.0.1, Jetty accepts the `+` character proceeding the content-length value in a HTTP/1 header field. This is more permissive than allowed by the…
more
RFC and other servers routinely reject such requests with 400 responses. There is no known exploit scenario, but it is conceivable that request smuggling could result if jetty is used in combination with a server that does not close the connection after sending such a 400 response. Versions 9.4.52, 10.0.16, 11.0.16, and 12.0.1 contain a patch for this issue. There is no workaround as there is no known exploit scenario.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.