← back
CVE-2024-12397

Io.quarkus.http/quarkus-http-core: quarkus http cookie smuggling

CVSS 7.4 HIGHEPSS 0.8%CWE-444
Vexday Risk Score
21Low
SSVC decision (CISA)
Track
No exploitation signal → monitor
CVSS 7.4EPSS 0.8%KEV nãoPoC Nuclei Metasploit Patch referenciado
Lifecycle
12 Dec 2024Published on NVD
Recommendation: Monitor — no exploitation signal at the moment.
A flaw was found in Quarkus-HTTP, which incorrectly parses cookies with certain value-delimiting characters in incoming requests. This issue could allow an attacker to construct a cookie value to exfiltrate HttpOnly cookie values or spoof arbitrary additional cookie values, leading to unauthorized data access or modification. The main threat from this flaw impacts data confidentiality and integrity.
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
Affected products
quarkus-httpRed Hat · Cryostat 3Red Hat · Cryostat 4 on RHEL 9Red Hat · HawtIO HawtIO 4.2.0Red Hat · Red Hat build of Apache Camel 4 for Quarkus 3Red Hat · Red Hat build of Apicurio Registry 2Red Hat · Red Hat Build of KeycloakRed Hat · Red Hat build of OptaPlanner 8Red Hat · Red Hat build of Quarkus 3.15.3Red Hat · Red Hat Fuse 7Red Hat · Red Hat Integration Camel K 1Red Hat · Red Hat JBoss Enterprise Application Platform 8Red Hat · Red Hat JBoss Enterprise Application Platform Expansion PackRed Hat · Red Hat Process Automation 7Red Hat · streams for Apache Kafka

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://access.redhat.com/errata/RHSA-2025:0900https://access.redhat.com/errata/RHSA-2025:3018https://access.redhat.com/errata/RHSA-2025:8761https://access.redhat.com/security/cve/CVE-2024-12397https://bugzilla.redhat.com/show_bug.cgi?id=2331298