CVE-2024-12397
Io.quarkus.http/quarkus-http-core: quarkus http cookie smuggling
Vexday Risk Score
21Baixo
Decisão SSVC (CISA)
Track
Sem sinal de exploração → monitorar
CVSS 7.4EPSS 0.8%KEV nãoPoC —Nuclei —Metasploit —Patch referenciado
Ciclo de vida
12 dez 2024Publicada no NVD
Recomendação: Monitorar — sem sinal de exploração no momento.
A flaw was found in Quarkus-HTTP, which incorrectly parses cookies with
certain value-delimiting characters in incoming requests. This issue could
allow an attacker to construct a cookie value to exfiltrate HttpOnly cookie
values or spoof arbitrary additional cookie values, leading to unauthorized
data access or modification. The main threat from this flaw impacts data
confidentiality and integrity.
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
Produtos afetados
quarkus-httpRed Hat · Cryostat 3Red Hat · Cryostat 4 on RHEL 9Red Hat · HawtIO HawtIO 4.2.0Red Hat · Red Hat build of Apache Camel 4 for Quarkus 3Red Hat · Red Hat build of Apicurio Registry 2Red Hat · Red Hat Build of KeycloakRed Hat · Red Hat build of OptaPlanner 8Red Hat · Red Hat build of Quarkus 3.15.3Red Hat · Red Hat Fuse 7Red Hat · Red Hat Integration Camel K 1Red Hat · Red Hat JBoss Enterprise Application Platform 8Red Hat · Red Hat JBoss Enterprise Application Platform Expansion PackRed Hat · Red Hat Process Automation 7Red Hat · streams for Apache KafkaQuer saber se a sua infraestrutura está exposta a isto?
Falar com a TrueHacking →