{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-04-28T19:40:36.414","vulnerabilities":[{"cve":{"id":"CVE-2023-40167","sourceIdentifier":"security-advisories@github.com","published":"2023-09-15T20:15:09.827","lastModified":"2024-11-21T08:18:54.840","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"Jetty is a Java based web server and servlet engine. Prior to versions 9.4.52, 10.0.16, 11.0.16, and 12.0.1, Jetty accepts the `+` character proceeding the content-length value in a HTTP/1 header field.  This is more permissive than allowed by the RFC and other servers routinely reject such requests with 400 responses.  There is no known exploit scenario, but it is conceivable that request smuggling could result if jetty is used in combination with a server that does not close the connection after sending such a 400 response. Versions 9.4.52, 10.0.16, 11.0.16, and 12.0.1 contain a patch for this issue. There is no workaround as there is no known exploit scenario."},{"lang":"es","value":"Jetty es un servidor web y motor de servlet basado en Java. Antes de las versiones 9.4.52, 10.0.16, 11.0.16 y 12.0.1, Jetty acepta el carácter `+` que precede al valor de longitud del contenido en un campo de encabezado HTTP/1. Esto es más permisivo de lo que permite el RFC y otros servidores rechazan habitualmente este tipo de solicitudes con 400 respuestas. No se conoce ningún escenario de explotación, pero es posible que se produzca contrabando de solicitudes si se utiliza jetty en combinación con un servidor que no cierra la conexión después de enviar dicha respuesta 400. Las versiones 9.4.52, 10.0.16, 11.0.16 y 12.0.1 contienen un parche para este problema. No existe ningún workaround ya que no se conoce ningún escenario de explotación."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N","baseScore":5.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":3.9,"impactScore":1.4},{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N","baseScore":5.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":3.9,"impactScore":1.4}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Secondary","description":[{"lang":"en","value":"CWE-130"}]},{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"NVD-CWE-noinfo"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:eclipse:jetty:*:*:*:*:*:*:*:*","versionStartIncluding":"9.0.0","versionEndExcluding":"9.4.52","matchCriteriaId":"64EE3E5D-9A4F-4C6A-B723-101CF69F89F7"},{"vulnerable":true,"criteria":"cpe:2.3:a:eclipse:jetty:*:*:*:*:*:*:*:*","versionStartIncluding":"10.0.0","versionEndExcluding":"10.0.16","matchCriteriaId":"1D15B5CF-CDFA-4303-8A9F-CF2FAD8E10CC"},{"vulnerable":true,"criteria":"cpe:2.3:a:eclipse:jetty:*:*:*:*:*:*:*:*","versionStartIncluding":"11.0.0","versionEndExcluding":"11.0.16","matchCriteriaId":"9153C468-135C-49C4-B33B-1828E37AF483"},{"vulnerable":true,"criteria":"cpe:2.3:a:eclipse:jetty:12.0.0:-:*:*:*:*:*:*","matchCriteriaId":"AF9975B1-5572-4D1A-B33B-4785189D4355"},{"vulnerable":true,"criteria":"cpe:2.3:a:eclipse:jetty:12.0.0:beta0:*:*:*:*:*:*","matchCriteriaId":"C591F4A5-8A66-4A08-B969-C4264A98C7CF"},{"vulnerable":true,"criteria":"cpe:2.3:a:eclipse:jetty:12.0.0:beta1:*:*:*:*:*:*","matchCriteriaId":"9B9C2A15-1AC2-4DFA-849E-63657784FA3D"},{"vulnerable":true,"criteria":"cpe:2.3:a:eclipse:jetty:12.0.0:beta2:*:*:*:*:*:*","matchCriteriaId":"664F3D66-783F-477D-83A5-9E85B79420EC"},{"vulnerable":true,"criteria":"cpe:2.3:a:eclipse:jetty:12.0.0:beta3:*:*:*:*:*:*","matchCriteriaId":"B7090FB4-DE20-46EF-9D1D-7C1F152A38C6"},{"vulnerable":true,"criteria":"cpe:2.3:a:eclipse:jetty:12.0.0:beta4:*:*:*:*:*:*","matchCriteriaId":"D30177D6-6092-4C9D-8DE4-3CF51C07AE61"}]}]},{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*","matchCriteriaId":"07B237A9-69A3-4A9C-9DA0-4E06BD37AE73"},{"vulnerable":true,"criteria":"cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*","matchCriteriaId":"FA6FEEC2-9F11-4643-8827-749718254FED"},{"vulnerable":true,"criteria":"cpe:2.3:o:debian:debian_linux:12.0:*:*:*:*:*:*:*","matchCriteriaId":"46D69DCC-AE4D-4EA5-861C-D60951444C6C"}]}]}],"references":[{"url":"https://github.com/eclipse/jetty.project/security/advisories/GHSA-hmr7-m48g-48f6","source":"security-advisories@github.com","tags":["Vendor Advisory"]},{"url":"https://lists.debian.org/debian-lts-announce/2023/09/msg00039.html","source":"security-advisories@github.com","tags":["Mailing List","Third Party Advisory"]},{"url":"https://www.debian.org/security/2023/dsa-5507","source":"security-advisories@github.com","tags":["Third Party Advisory"]},{"url":"https://www.rfc-editor.org/rfc/rfc9110#section-8.6","source":"security-advisories@github.com","tags":["Technical Description"]},{"url":"https://github.com/eclipse/jetty.project/security/advisories/GHSA-hmr7-m48g-48f6","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Vendor Advisory"]},{"url":"https://lists.debian.org/debian-lts-announce/2023/09/msg00039.html","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Mailing List","Third Party Advisory"]},{"url":"https://www.debian.org/security/2023/dsa-5507","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Third Party Advisory"]},{"url":"https://www.rfc-editor.org/rfc/rfc9110#section-8.6","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Technical Description"]}]}}]}