← volver
CVE-2024-12397

Io.quarkus.http/quarkus-http-core: quarkus http cookie smuggling

CVSS 7.4 HIGHEPSS 0.8%CWE-444
Vexday Risk Score
21Bajo
Decisión SSVC (CISA)
Track
Sin señal de explotación → monitorear
CVSS 7.4EPSS 0.8%KEV nãoPoC Nuclei Metasploit Patch referenciado
Ciclo de vida
12 dic 2024Publicada en NVD
Recomendación: Monitorear — sin señal de explotación por ahora.
A flaw was found in Quarkus-HTTP, which incorrectly parses cookies with certain value-delimiting characters in incoming requests. This issue could allow an attacker to construct a cookie value to exfiltrate HttpOnly cookie values or spoof arbitrary additional cookie values, leading to unauthorized data access or modification. The main threat from this flaw impacts data confidentiality and integrity.
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
Productos afectados
quarkus-httpRed Hat · Cryostat 3Red Hat · Cryostat 4 on RHEL 9Red Hat · HawtIO HawtIO 4.2.0Red Hat · Red Hat build of Apache Camel 4 for Quarkus 3Red Hat · Red Hat build of Apicurio Registry 2Red Hat · Red Hat Build of KeycloakRed Hat · Red Hat build of OptaPlanner 8Red Hat · Red Hat build of Quarkus 3.15.3Red Hat · Red Hat Fuse 7Red Hat · Red Hat Integration Camel K 1Red Hat · Red Hat JBoss Enterprise Application Platform 8Red Hat · Red Hat JBoss Enterprise Application Platform Expansion PackRed Hat · Red Hat Process Automation 7Red Hat · streams for Apache Kafka

¿Quieres saber si tu infraestructura está expuesta a esto?

Hablar con TrueHacking →
Referencias
https://access.redhat.com/errata/RHSA-2025:0900https://access.redhat.com/errata/RHSA-2025:3018https://access.redhat.com/errata/RHSA-2025:8761https://access.redhat.com/security/cve/CVE-2024-12397https://bugzilla.redhat.com/show_bug.cgi?id=2331298