5.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2023-40167

GHSA ID

GHSA-hmr7-m48g-48f6

EPSS Score

0.89462%

CWE

CWE-130

Published

9/14/2023

Updated

11/6/2023

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2023-40167

CVE-2023-40167: Jetty accepts "+" prefixed value in Content-Length

Impact

Jetty accepts the '+' character proceeding the content-length value in a HTTP/1 header field. This is more permissive than allowed by the RFC and other servers routinely reject such requests with 400 responses. There is no known exploit scenario, but it is conceivable that request smuggling could result if jetty is used in combination with a server that does not close the connection after sending such a 400 response.

Workarounds

There is no workaround as there is no known exploit scenario.

Original Report

RFC 9110 Secion 8.6 defined the value of Content-Length header should be a string of 0-9 digits. However we found that Jetty accepts "+" prefixed Content-Length, which could lead to potential HTTP request smuggling.

Payload:

 POST / HTTP/1.1
 Host: a.com
 Content-Length: +16
 Connection: close
 
 0123456789abcdef

When sending this payload to Jetty, it can successfully parse and identify the length.

When sending this payload to NGINX, Apache HTTPd or other HTTP servers/parsers, they will return 400 bad request.

This behavior can lead to HTTP request smuggling and can be leveraged to bypass WAF or IDS.

(GitHub Advisory)

5.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2023-40167

GHSA ID

GHSA-hmr7-m48g-48f6

EPSS Score

0.89462%

CWE

CWE-130

Published

9/14/2023

Updated

11/6/2023

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.eclipse.jetty:jetty-http	maven	>= 9.0.0, <= 9.4.51	9.4.52
org.eclipse.jetty:jetty-http	maven	>= 10.0.0, <= 10.0.15	10.0.16
org.eclipse.jetty:jetty-http	maven	>= 11.0.0, <= 11.0.15	11.0.16
org.eclipse.jetty:jetty-http	maven	= 12.0.0	12.0.1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability description explicitly states Jetty improperly accepts '+' prefixed Content-Length values. The HTTP specification (RFC 9110 Section 8.6) mandates Content-Length must be a string of digits. The most logical location for this parsing would be in the HTTP header processing logic, specifically in Content-Length handling. Jetty's HttpParser class contains methods for header parsing, and the Content-Length handling would need to validate/convert the header value. The presence of a '+' acceptance indicates insufficient validation in this parsing function.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t J*tty ****pts t** '+' ***r**t*r pro****in* t** *ont*nt-l*n*t* v*lu* in * *TTP/* *****r *i*l*. T*is is mor* p*rmissiv* t**n *llow** *y t** R** *n* ot**r s*rv*rs routin*ly r*j**t su** r*qu*sts wit* *** r*spons*s. T**r* is no known *xploit

Reasoning

T** vuln*r**ility **s*ription *xpli*itly st*t*s J*tty improp*rly ****pts '+' pr**ix** *ont*nt-L*n*t* v*lu*s. T** *TTP sp**i*i**tion (R** **** S**tion *.*) m*n**t*s *ont*nt-L*n*t* must ** * strin* o* *i*its. T** most lo*i**l lo**tion *or t*is p*rsin*

5.3

Basic Information

Concerned about an active attack path?

CVE-2023-40167: Jetty accepts "+" prefixed value in Content-Length

Impact

Workarounds

Original Report

5.3

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI