Rapid7 Vulnerability & Exploit Database

Amazon Linux AMI 2: CVE-2023-40167: Security patch for jetty (ALAS-2024-2460)

Free InsightVM Trial No Credit Card Necessary

Watch Demo See how it all works

Back to Search

Amazon Linux AMI 2: CVE-2023-40167: Security patch for jetty (ALAS-2024-2460)

Severity

CVSS

(AV:L/AC:M/Au:N/C:P/I:P/A:P)

Published

09/15/2023

Created

02/22/2024

Added

02/21/2024

Modified

02/21/2024

Description

Jetty is a Java based web server and servlet engine. Prior to versions 9.4.52, 10.0.16, 11.0.16, and 12.0.1, Jetty accepts the `+` character proceeding the content-length value in a HTTP/1 header field. This is more permissive than allowed by the RFC and other servers routinely reject such requests with 400 responses. There is no known exploit scenario, but it is conceivable that request smuggling could result if jetty is used in combination with a server that does not close the connection after sending such a 400 response. Versions 9.4.52, 10.0.16, 11.0.16, and 12.0.1 contain a patch for this issue. There is no workaround as there is no known exploit scenario.

Solution(s)

amazon-linux-ami-2-upgrade-jetty-annotations
amazon-linux-ami-2-upgrade-jetty-ant
amazon-linux-ami-2-upgrade-jetty-client
amazon-linux-ami-2-upgrade-jetty-continuation
amazon-linux-ami-2-upgrade-jetty-deploy
amazon-linux-ami-2-upgrade-jetty-http
amazon-linux-ami-2-upgrade-jetty-io
amazon-linux-ami-2-upgrade-jetty-jaas
amazon-linux-ami-2-upgrade-jetty-jaspi
amazon-linux-ami-2-upgrade-jetty-javadoc
amazon-linux-ami-2-upgrade-jetty-jmx
amazon-linux-ami-2-upgrade-jetty-jndi
amazon-linux-ami-2-upgrade-jetty-jsp
amazon-linux-ami-2-upgrade-jetty-jspc-maven-plugin
amazon-linux-ami-2-upgrade-jetty-maven-plugin
amazon-linux-ami-2-upgrade-jetty-monitor
amazon-linux-ami-2-upgrade-jetty-plus
amazon-linux-ami-2-upgrade-jetty-project
amazon-linux-ami-2-upgrade-jetty-proxy
amazon-linux-ami-2-upgrade-jetty-rewrite
amazon-linux-ami-2-upgrade-jetty-runner
amazon-linux-ami-2-upgrade-jetty-security
amazon-linux-ami-2-upgrade-jetty-server
amazon-linux-ami-2-upgrade-jetty-servlet
amazon-linux-ami-2-upgrade-jetty-servlets
amazon-linux-ami-2-upgrade-jetty-start
amazon-linux-ami-2-upgrade-jetty-util
amazon-linux-ami-2-upgrade-jetty-util-ajax
amazon-linux-ami-2-upgrade-jetty-webapp
amazon-linux-ami-2-upgrade-jetty-websocket-api
amazon-linux-ami-2-upgrade-jetty-websocket-client
amazon-linux-ami-2-upgrade-jetty-websocket-common
amazon-linux-ami-2-upgrade-jetty-websocket-parent
amazon-linux-ami-2-upgrade-jetty-websocket-server
amazon-linux-ami-2-upgrade-jetty-websocket-servlet
amazon-linux-ami-2-upgrade-jetty-xml

References

https://attackerkb.com/topics/cve-2023-40167
AL2/ALAS-2024-2460
CVE - 2023-40167

Advanced vulnerability management analytics and reporting.

Key Features

Free InsightVM Trial View All Features

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center

;

Rapid7 Vulnerability & Exploit Database

Amazon Linux AMI 2: CVE-2023-40167: Security patch for jetty (ALAS-2024-2460)

Amazon Linux AMI 2: CVE-2023-40167: Security patch for jetty (ALAS-2024-2460)

Description

Solution(s)

References

Success! Thank you for submission. We will be in touch shortly.

Oops! There was a problem in submission. Please try again.

Submit your information and we will get in touch with you.