Summary IBM Event Streams is vulnerable to HTTP request smuggling due to Jetty component. Jetty provides client-side libraries that allow us to embed an HTTP or WebSocket client in our applications. Vulnerability Details ** CVEID: CVE-2023-40167 DESCRIPTION: **Jetty is vulnerable to HTTP request smuggling, caused by improper parsing of the HTTP/1 request header. By sending a specially crafted request, a remote attacker could exploit this vulnerability to poison the web cache, bypass web application firewall protection, and conduct XSS attacks. CVSS Base score: 5.3 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/266353 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) Affected Products and Versions Affected Product(s)| Version(s) —|— IBM Event Streams| 10.0.0-11.3.0 Remediation/Fixes IBM strongly recommends addressing the vulnerability now by upgrading IBM Event Streams (Continuous Delivery) Upgrade to IBM Event Streams 11.3.1 by following the upgrading and migrating documentation. Workarounds and Mitigations…Read More