← back
CVE-2023-4639

Undertow: cookie smuggling/spoofing

CVSS 7.4 HIGHEPSS 1.1%CWE-444
Vexday Risk Score
21Low
SSVC decision (CISA)
Track
No exploitation signal → monitor
CVSS 7.4EPSS 1.1%KEV nãoPoC Patch referenciado
Lifecycle
17 Nov 2024Published on NVD
Recommendation: Monitor — no exploitation signal at the moment.
A flaw was found in Undertow, which incorrectly parses cookies with certain value-delimiting characters in incoming requests. This issue could allow an attacker to construct a cookie value to exfiltrate HttpOnly cookie values or spoof arbitrary additional cookie values, leading to unauthorized data access or modification. The main threat from this flaw impacts data confidentiality and integrity.
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
Affected products
Red Hat · Migration Toolkit for Applications 6Red Hat · Migration Toolkit for Runtimes 1 on RHEL 8Red Hat · Red Hat build of Apache Camel for Spring Boot 3Red Hat · Red Hat build of Apicurio RegistryRed Hat · Red Hat build of QuarkusRed Hat · Red Hat Data Grid 8Red Hat · Red Hat Decision Manager 7Red Hat · Red Hat Fuse 7Red Hat · Red Hat Integration Camel KRed Hat · Red Hat Integration Camel QuarkusRed Hat · Red Hat Integration Change Data CaptureRed Hat · Red Hat JBoss Data Grid 7Red Hat · Red Hat JBoss Enterprise Application Platform 6Red Hat · Red Hat JBoss Enterprise Application Platform 7Red Hat · Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8Red Hat · Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9Red Hat · Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7Red Hat · Red Hat JBoss Enterprise Application Platform 8Red Hat · Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8Red Hat · Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9Red Hat · Red Hat JBoss Fuse 6Red Hat · Red Hat JBoss Fuse Service Works 6Red Hat · Red Hat Process Automation 7Red Hat · Red Hat Single Sign-On 7

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://access.redhat.com/errata/RHSA-2024:1674https://access.redhat.com/errata/RHSA-2024:1675https://access.redhat.com/errata/RHSA-2024:1676https://access.redhat.com/errata/RHSA-2024:1677https://access.redhat.com/errata/RHSA-2024:2763https://access.redhat.com/errata/RHSA-2024:2764https://access.redhat.com/errata/RHSA-2024:3919https://access.redhat.com/security/cve/CVE-2023-4639https://bugzilla.redhat.com/show_bug.cgi?id=2166022https://security.netapp.com/advisory/ntap-20250207-0001/