Cyber Resilience

CVE-2023-40167

Medium

Published: 15 September 2023

Published
15 September 2023
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
EPSS Score 0.0457 89.5th percentile
Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-40167 is a medium-severity Improper Handling of Length Parameter Inconsistency (CWE-130) vulnerability in Eclipse Jetty. Its CVSS base score is 5.3 (Medium).

Operationally, ranked in the top 10.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

Jetty, an open-source Java web server and servlet container, is affected by a parsing inconsistency in its HTTP/1 handling prior to versions 9.4.52, 10.0.16, 11.0.16, and 12.0.1. The server accepts a leading “+” character in the Content-Length header value, which deviates from RFC 9110 requirements and from the stricter behavior of many other HTTP implementations that respond with a 400 status.

An unauthenticated network attacker could send such a malformed request in an attempt to trigger request-smuggling conditions when Jetty is placed behind or in front of another server that fails to close the connection after issuing a 400 response. Although no concrete exploit scenario has been identified, the permissive parsing could allow an attacker to manipulate request framing and potentially reach protected resources or bypass access controls in certain proxy or load-balanced deployments.

The project’s security advisory and downstream distributions such as Debian advise immediate upgrade to the patched releases; no configuration workaround exists. Public references, including the GitHub advisory GHSA-hmr7-m48g-48f6 and the associated RFC section, document the discrepancy and the fix.

EPSS scores have remained low, with a current value of 0.0457 and a peak of only 0.0553, indicating limited observed exploitation interest since disclosure.

EU & UK References

Vulnerability details

Jetty is a Java based web server and servlet engine. Prior to versions 9.4.52, 10.0.16, 11.0.16, and 12.0.1, Jetty accepts the `+` character proceeding the content-length value in a HTTP/1 header field. This is more permissive than allowed by the…

more

RFC and other servers routinely reject such requests with 400 responses. There is no known exploit scenario, but it is conceivable that request smuggling could result if jetty is used in combination with a server that does not close the connection after sending such a 400 response. Versions 9.4.52, 10.0.16, 11.0.16, and 12.0.1 contain a patch for this issue. There is no workaround as there is no known exploit scenario.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

eclipse
jetty
12.0.0 · 9.0.0 — 9.4.52 · 10.0.0 — 10.0.16 · 11.0.0 — 11.0.16
debian
debian linux
10.0, 11.0, 12.0

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References