You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The package Jetty in versions 9.0.x prior to 9.4.52.v20230823, 10.0.x prior to 10.0.16, 11.0.x prior to 11.0.16 and 12.0.x prior to 12.0.1
accepts the '+' character proceeding the content-length value in a HTTP/1 header field. This is more permissive than allowed by the RFC and other servers routinely reject such requests with 400 responses. There is no known exploit scenario, but it is conceivable that request smuggling could result if jetty is used in combination with a server that does not close the connection after sending such a 400 response.
Checkmarx (SCA): Vulnerable Package
Vulnerability: Read More about CVE-2023-40167
Checkmarx Project: cxronen/BookStore_VSCode
Repository URL: https://github.com/cxronen/BookStore_VSCode
Branch: master
Scan ID: 3aaa12b3-552a-4874-ba98-3d364d7d56f6
The package Jetty in versions 9.0.x prior to 9.4.52.v20230823, 10.0.x prior to 10.0.16, 11.0.x prior to 11.0.16 and 12.0.x prior to 12.0.1
accepts the '+' character proceeding the content-length value in a HTTP/1 header field. This is more permissive than allowed by the RFC and other servers routinely reject such requests with 400 responses. There is no known exploit scenario, but it is conceivable that request smuggling could result if jetty is used in combination with a server that does not close the connection after sending such a 400 response.
Additional Info
Attack vector: NETWORK
Attack complexity: LOW
Confidentiality impact: NONE
Availability impact: NONE
Remediation Upgrade Recommendation: 9.4.53.v20231009
The text was updated successfully, but these errors were encountered: