CVE-2023-40167

Name: CVE-2023-40167
Creator: NVD / NIST
Published: 2023-09-15T20:15:09.827+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

MEDIUMCVSS 5.3/10EPSS 1.07%

Last modified Jun 17, 2026

CVE-2023-40167 is a medium-severity vulnerability rated 5.3/10 on the CVSS scale. Jetty is a Java based web server and servlet engine. Prior to versions 9.4.52, 10.0.16, 11.0.16, and 12.0.1, Jetty accepts the `+` character proceeding the content-length value in a HTTP/1 header field. EPSS estimates a 1.07% chance of exploitation in the next 30 days.

Description

Jetty is a Java based web server and servlet engine. Prior to versions 9.4.52, 10.0.16, 11.0.16, and 12.0.1, Jetty accepts the `+` character proceeding the content-length value in a HTTP/1 header field. This is more permissive than allowed by the RFC and other servers routinely reject such requests with 400 responses. There is no known exploit scenario, but it is conceivable that request smuggling could result if jetty is used in combination with a server that does not close the connection after sending such a 400 response. Versions 9.4.52, 10.0.16, 11.0.16, and 12.0.1 contain a patch for this issue. There is no workaround as there is no known exploit scenario.

Metrics

CVSS 3.1

5.3/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

EPSS Probability

1.07%

60.5th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-130

Affected Software

Vendor	Product	Versions
Eclipse	Jetty	>= 9.0.0, < 9.4.52
Eclipse	Jetty	>= 10.0.0, < 10.0.16
Eclipse	Jetty	>= 11.0.0, < 11.0.16
Eclipse	Jetty	12.0.0
Debian	Debian Linux	10.0
Debian	Debian Linux	11.0
Debian	Debian Linux	12.0

References

https://github.com/eclipse/jetty.project/security/advisories/GHSA-hmr7-m48g-48f6Vendor Advisory
https://lists.debian.org/debian-lts-announce/2023/09/msg00039.htmlMailing List, Third Party Advisory
https://www.debian.org/security/2023/dsa-5507Third Party Advisory
https://www.rfc-editor.org/rfc/rfc9110#section-8.6Technical Description
https://github.com/eclipse/jetty.project/security/advisories/GHSA-hmr7-m48g-48f6Vendor Advisory
https://lists.debian.org/debian-lts-announce/2023/09/msg00039.htmlMailing List, Third Party Advisory
https://www.debian.org/security/2023/dsa-5507Third Party Advisory
https://www.rfc-editor.org/rfc/rfc9110#section-8.6Technical Description

Timeline

Published: Sep 15, 2023
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2023-40167?

How severe is CVE-2023-40167?

CVE-2023-40167 has a CVSS score of 5.3/10 (MEDIUM severity). The EPSS model estimates a 1.07% probability of exploitation in the next 30 days.

How do I fix CVE-2023-40167?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2023-40167?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST