CVE-2024-12397

Io.quarkus.http/quarkus-http-core: quarkus http cookie smuggling

Severity Score

7.4

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track*

*SSVC

Descriptions

A flaw was found in Quarkus-HTTP, which incorrectly parses cookies with
certain value-delimiting characters in incoming requests. This issue could
allow an attacker to construct a cookie value to exfiltrate HttpOnly cookie
values or spoof arbitrary additional cookie values, leading to unauthorized
data access or modification. The main threat from this flaw impacts data
confidentiality and integrity.

Se encontró una falla en Quarkus-HTTP que analiza incorrectamente las cookies con ciertos caracteres que delimitan valores en las solicitudes entrantes. Este problema podría permitir que un atacante construya un valor de cookie para extraer valores de cookies HttpOnly o falsificar valores de cookies adicionales arbitrarios, lo que lleva a un acceso o modificación de datos no autorizados. La principal amenaza de esta falla afecta la confidencialidad e integridad de los datos.

A flaw was found in Quarkus-HTTP, which incorrectly parses cookies with certain value-delimiting characters in incoming requests. This issue could allow an attacker to construct a cookie value to exfiltrate HttpOnly cookie values or spoof arbitrary additional cookie values, leading to unauthorized data access or modification. The main threat from this flaw impacts data confidentiality and integrity.

*Credits: N/A

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

None

Attack Vector

Network

Attack Complexity

High

Authentication

None

Confidentiality

Complete

Integrity

Complete

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:Track*

Exploitation

None

Automatable

Tech. Impact

Total

* Organization's Worst-case Scenario

Timeline

2024-12-10 CVE Reserved
2024-12-12 CVE Published
2024-12-13 CVE Updated
2024-12-17 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')

CAPEC

References (2)

URL	Tag	Source
https://access.redhat.com/security/cve/CVE-2024-12397	Vdb Entry
https://bugzilla.redhat.com/show_bug.cgi?id=2331298	Issue Tracking

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Redhat Search vendor "Redhat"		Amq Streams Search vendor "Redhat" for product "Amq Streams"				*		-		Affected
Redhat Search vendor "Redhat"		Build Keycloak Search vendor "Redhat" for product "Build Keycloak"				*		-		Affected
Redhat Search vendor "Redhat"		Build Of Keycloak Search vendor "Redhat" for product "Build Of Keycloak"				*		-		Affected
Redhat Search vendor "Redhat"		Build Of Optaplanner Search vendor "Redhat" for product "Build Of Optaplanner"				*		-		Affected
Redhat Search vendor "Redhat"		Build Of Quarkus Search vendor "Redhat" for product "Build Of Quarkus"				*		-		Affected
Redhat Search vendor "Redhat"		Camel Quarkus Search vendor "Redhat" for product "Camel Quarkus"				*		-		Affected
Redhat Search vendor "Redhat"		Cryostat Search vendor "Redhat" for product "Cryostat"				*		-		Affected
Redhat Search vendor "Redhat"		Integration Search vendor "Redhat" for product "Integration"				*		-		Affected
Redhat Search vendor "Redhat"		Integration Camel K Search vendor "Redhat" for product "Integration Camel K"				*		-		Affected
Redhat Search vendor "Redhat"		Jboss Enterprise Application Platform Search vendor "Redhat" for product "Jboss Enterprise Application Platform"				*		-		Affected
Redhat Search vendor "Redhat"		Jboss Enterprise Bpms Platform Search vendor "Redhat" for product "Jboss Enterprise Bpms Platform"				*		-		Affected
Redhat Search vendor "Redhat"		Jboss Fuse Search vendor "Redhat" for product "Jboss Fuse"				*		-		Affected
Redhat Search vendor "Redhat"		Jbosseapxp Search vendor "Redhat" for product "Jbosseapxp"				*		-		Affected
Redhat Search vendor "Redhat"		Optaplanner Search vendor "Redhat" for product "Optaplanner"				*		-		Affected
Redhat Search vendor "Redhat"		Process Automation Search vendor "Redhat" for product "Process Automation"				*		-		Affected
Redhat Search vendor "Redhat"		Quarkus Search vendor "Redhat" for product "Quarkus"				*		-		Affected
Redhat Search vendor "Redhat"		Rhboac Hawtio Search vendor "Redhat" for product "Rhboac Hawtio"				*		-		Affected
Redhat Search vendor "Redhat"		Service Registry Search vendor "Redhat" for product "Service Registry"				*		-		Affected