Recent Vulnerabilities Research Posts Trends Blog About Contact

Related Vulnerabilities: CVE-2023-40167

Jetty is a Java based web server and servlet engine. Prior to versions 9.4.52, 10.0.16, 11.0.16, and 12.0.1, Jetty accepts the `+` character proceeding the content-length value in a HTTP/1 header field. This is more permissive than allowed by the RFC and other servers routinely reject such requests with 400 responses. There is no known exploit scenario, but it is conceivable that request smuggling could result if jetty is used in combination with a server that does not close the connection after sending such a 400 response. Versions 9.4.52, 10.0.16, 11.0.16, and 12.0.1 contain a patch for this issue. There is no workaround as there is no known exploit scenario. (CVE-2023-40167)

Source

ALAS-2024-2460

Amazon Linux 2 Security Advisory: ALAS-2024-2460
Advisory Release Date: 2024-02-15 03:52 Pacific
Advisory Updated Date: 2024-02-19 17:36 Pacific

Severity: Medium

References: CVE-2023-40167
FAQs regarding Amazon Linux ALAS/CVE Severity

Issue Overview:

Jetty is a Java based web server and servlet engine. Prior to versions 9.4.52, 10.0.16, 11.0.16, and 12.0.1, Jetty accepts the `+` character proceeding the content-length value in a HTTP/1 header field. This is more permissive than allowed by the RFC and other servers routinely reject such requests with 400 responses. There is no known exploit scenario, but it is conceivable that request smuggling could result if jetty is used in combination with a server that does not close the connection after sending such a 400 response. Versions 9.4.52, 10.0.16, 11.0.16, and 12.0.1 contain a patch for this issue. There is no workaround as there is no known exploit scenario. (CVE-2023-40167)

Affected Packages:

jetty

Note:

This advisory is applicable to Amazon Linux 2 (AL2) Core repository. Visit this FAQ section for the difference between AL2 Core and AL2 Extras advisories.

Issue Correction:
Run yum update jetty to update your system.

New Packages:

noarch:
    jetty-project-9.0.3-8.amzn2.0.3.noarch
    jetty-annotations-9.0.3-8.amzn2.0.3.noarch
    jetty-ant-9.0.3-8.amzn2.0.3.noarch
    jetty-client-9.0.3-8.amzn2.0.3.noarch
    jetty-continuation-9.0.3-8.amzn2.0.3.noarch
    jetty-deploy-9.0.3-8.amzn2.0.3.noarch
    jetty-http-9.0.3-8.amzn2.0.3.noarch
    jetty-io-9.0.3-8.amzn2.0.3.noarch
    jetty-jaas-9.0.3-8.amzn2.0.3.noarch
    jetty-jaspi-9.0.3-8.amzn2.0.3.noarch
    jetty-jmx-9.0.3-8.amzn2.0.3.noarch
    jetty-jndi-9.0.3-8.amzn2.0.3.noarch
    jetty-jsp-9.0.3-8.amzn2.0.3.noarch
    jetty-jspc-maven-plugin-9.0.3-8.amzn2.0.3.noarch
    jetty-maven-plugin-9.0.3-8.amzn2.0.3.noarch
    jetty-monitor-9.0.3-8.amzn2.0.3.noarch
    jetty-plus-9.0.3-8.amzn2.0.3.noarch
    jetty-proxy-9.0.3-8.amzn2.0.3.noarch
    jetty-rewrite-9.0.3-8.amzn2.0.3.noarch
    jetty-runner-9.0.3-8.amzn2.0.3.noarch
    jetty-security-9.0.3-8.amzn2.0.3.noarch
    jetty-server-9.0.3-8.amzn2.0.3.noarch
    jetty-servlet-9.0.3-8.amzn2.0.3.noarch
    jetty-servlets-9.0.3-8.amzn2.0.3.noarch
    jetty-start-9.0.3-8.amzn2.0.3.noarch
    jetty-util-9.0.3-8.amzn2.0.3.noarch
    jetty-util-ajax-9.0.3-8.amzn2.0.3.noarch
    jetty-webapp-9.0.3-8.amzn2.0.3.noarch
    jetty-xml-9.0.3-8.amzn2.0.3.noarch
    jetty-websocket-api-9.0.3-8.amzn2.0.3.noarch
    jetty-websocket-client-9.0.3-8.amzn2.0.3.noarch
    jetty-websocket-common-9.0.3-8.amzn2.0.3.noarch
    jetty-websocket-parent-9.0.3-8.amzn2.0.3.noarch
    jetty-websocket-server-9.0.3-8.amzn2.0.3.noarch
    jetty-websocket-servlet-9.0.3-8.amzn2.0.3.noarch
    jetty-javadoc-9.0.3-8.amzn2.0.3.noarch

src:
    jetty-9.0.3-8.amzn2.0.3.src

Additional References

Red Hat: CVE-2023-40167

Mitre: CVE-2023-40167

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Twitter Reddit Linkedin Facebook

ALAS-2024-2460

ALAS-2024-2460

Additional References

Vulmon Search

About

Products

Connect