Описание
Jetty is a Java based web server and servlet engine. Prior to versions 9.4.52, 10.0.16, 11.0.16, and 12.0.1, Jetty accepts the + character proceeding the content-length value in a HTTP/1 header field. This is more permissive than allowed by the RFC and other servers routinely reject such requests with 400 responses. There is no known exploit scenario, but it is conceivable that request smuggling could result if jetty is used in combination with a server that does not close the connection after sending such a 400 response. Versions 9.4.52, 10.0.16, 11.0.16, and 12.0.1 contain a patch for this issue. There is no workaround as there is no known exploit scenario.
A flaw was found in Jetty that permits a plus sign (+) preceding the content-length value in a HTTP/1 header field, which is non-standard and more permissive than RFC. This issue could allow an attacker to request smuggling in conjunction with a server that does not close connections after 400 responses.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| A-MQ Clients 2 | jetty-http | Affected | ||
| Migration Toolkit for Applications 6 | commons-io-commons-io | Not affected | ||
| Migration Toolkit for Runtimes | commons-io-commons-io | Not affected | ||
| OpenShift Serverless | org.kie.kogito-kogito-apps | Will not fix | ||
| Red Hat build of Apache Camel for Spring Boot 3 | jetty-http | Affected | ||
| Red Hat Enterprise Linux 7 | jetty | Out of support scope | ||
| Red Hat Enterprise Linux 8 | jetty | Not affected | ||
| Red Hat Enterprise Linux 9 | jetty | Will not fix | ||
| Red Hat JBoss A-MQ 6 | jetty-http | Out of support scope | ||
| Red Hat JBoss Data Grid 7 | jetty-http | Out of support scope |
Показывать по
Дополнительная информация
Статус:
EPSS
5.3 Medium
CVSS3
Связанные уязвимости
Jetty is a Java based web server and servlet engine. Prior to versions 9.4.52, 10.0.16, 11.0.16, and 12.0.1, Jetty accepts the `+` character proceeding the content-length value in a HTTP/1 header field. This is more permissive than allowed by the RFC and other servers routinely reject such requests with 400 responses. There is no known exploit scenario, but it is conceivable that request smuggling could result if jetty is used in combination with a server that does not close the connection after sending such a 400 response. Versions 9.4.52, 10.0.16, 11.0.16, and 12.0.1 contain a patch for this issue. There is no workaround as there is no known exploit scenario.
Jetty is a Java based web server and servlet engine. Prior to versions 9.4.52, 10.0.16, 11.0.16, and 12.0.1, Jetty accepts the `+` character proceeding the content-length value in a HTTP/1 header field. This is more permissive than allowed by the RFC and other servers routinely reject such requests with 400 responses. There is no known exploit scenario, but it is conceivable that request smuggling could result if jetty is used in combination with a server that does not close the connection after sending such a 400 response. Versions 9.4.52, 10.0.16, 11.0.16, and 12.0.1 contain a patch for this issue. There is no workaround as there is no known exploit scenario.
Jetty is a Java based web server and servlet engine. Prior to versions ...
Jetty accepts "+" prefixed value in Content-Length
Уязвимость контейнера сервлетов Eclipse Jetty, связанная с ошибками при обработке параметров длины входных данных, позволяющая нарушителю выполнять атаку «контрабанда HTTP-запросов»
EPSS
5.3 Medium
CVSS3