VulnerableCode Package Details - pkg:maven/org.eclipse.jetty/jetty-http@9.0.0

Staging Environment: Content and features may be unstable or change without notice.

Search for packages

Package details: pkg:maven/org.eclipse.jetty/jetty-http@9.0.0

Essentials
History (2)

purl	pkg:maven/org.eclipse.jetty/jetty-http@9.0.0
Tags	Ghost

Next non-vulnerable version	12.0.31
Latest non-vulnerable version	12.1.7
Risk	3.1

Vulnerabilities affecting this package (1)

Vulnerability	Summary	Fixed by
VCID-q3k2-1x5q-buhy Aliases: CVE-2023-40167 GHSA-hmr7-m48g-48f6	Improper Handling of Length Parameter Inconsistency Jetty is a Java based web server and servlet engine. Prior to versions 9.4.52, 10.0.16, 11.0.16, and 12.0.1, Jetty accepts the `+` character proceeding the content-length value in a HTTP/1 header field. This is more permissive than allowed by the RFC and other servers routinely reject such requests with 400 responses. There is no known exploit scenario, but it is conceivable that request smuggling could result if jetty is used in combination with a server that does not close the connection after sending such a 400 response. Versions 9.4.52, 10.0.16, 11.0.16, and 12.0.1 contain a patch for this issue. There is no workaround as there is no known exploit scenario.	9.4.51.v20230217 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 9.4.52 Affected by 0 other vulnerabilities. 10.0.16 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 11.0.16 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 12.0.1 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}

Vulnerability

Summary

Fixed by

VCID-q3k2-1x5q-buhy
Aliases:
CVE-2023-40167
GHSA-hmr7-m48g-48f6

Improper Handling of Length Parameter Inconsistency Jetty is a Java based web server and servlet engine. Prior to versions 9.4.52, 10.0.16, 11.0.16, and 12.0.1, Jetty accepts the `+` character proceeding the content-length value in a HTTP/1 header field. This is more permissive than allowed by the RFC and other servers routinely reject such requests with 400 responses. There is no known exploit scenario, but it is conceivable that request smuggling could result if jetty is used in combination with a server that does not close the connection after sending such a 400 response. Versions 9.4.52, 10.0.16, 11.0.16, and 12.0.1 contain a patch for this issue. There is no workaround as there is no known exploit scenario.

9.4.51.v20230217
Affected by 2 other vulnerabilities.

9.4.52
Affected by 0 other vulnerabilities.

10.0.16
Affected by 2 other vulnerabilities.

11.0.16
Affected by 2 other vulnerabilities.

12.0.1
Affected by 2 other vulnerabilities.

Vulnerabilities fixed by this package (0)

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-02T17:00:16.200141+00:00	GHSA Importer	Affected by	VCID-q3k2-1x5q-buhy	https://github.com/advisories/GHSA-hmr7-m48g-48f6	38.1.0
2026-04-01T12:51:49.703912+00:00	GitLab Importer	Affected by	VCID-q3k2-1x5q-buhy	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.eclipse.jetty/jetty-http/CVE-2023-40167.yml	38.0.0