CVE-2024-12397 | THREATINT

Description

A flaw was found in Quarkus-HTTP, which incorrectly parses cookies with certain value-delimiting characters in incoming requests. This issue could allow an attacker to construct a cookie value to exfiltrate HttpOnly cookie values or spoof arbitrary additional cookie values, leading to unauthorized data access or modification. The main threat from this flaw impacts data confidentiality and integrity.

PUBLISHED Reserved 2024-12-10 | Published 2024-12-12 | Updated 2025-11-11 | Assigner redhat

HIGH: 7.4CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

Problem types

Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')

Product status

Default status

unaffected

Any version before 5.3.4

affected

Default status

affected

0.5.0-6 (rpm) before *

unaffected

Default status

affected

4.0.0-7 (rpm) before *

unaffected

Default status

affected

4.0.0-7 (rpm) before *

unaffected

Default status

affected

4.0.0-7 (rpm) before *

unaffected

Default status

affected

4.0.0-7 (rpm) before *

unaffected

Default status

affected

4.0.0-7 (rpm) before *

unaffected

Default status

affected

4.0.0-7 (rpm) before *

unaffected

Default status

affected

4.0.0-7 (rpm) before *

unaffected

Default status

affected

4.0.0-7 (rpm) before *

unaffected

Default status

affected

4.0.0-7 (rpm) before *

unaffected

Default status

affected

4.0.0-7 (rpm) before *

unaffected

Default status

unaffected

Default status

unaffected

Default status

affected

Default status

affected

Default status

affected

Default status

affected

Default status

affected

Default status

affected

Default status

unknown

Default status

affected

Default status

unaffected

Default status

unaffected

Default status

affected

Default status

affected

Timeline

2024-12-10:	Reported to Red Hat.
2024-12-10:	Made public.

References

access.redhat.com/errata/RHSA-2025:0900 (RHSA-2025:0900) vendor-advisory

access.redhat.com/errata/RHSA-2025:3018 (RHSA-2025:3018) vendor-advisory

access.redhat.com/errata/RHSA-2025:8761 (RHSA-2025:8761) vendor-advisory

access.redhat.com/security/cve/CVE-2024-12397 vdb-entry

bugzilla.redhat.com/show_bug.cgi?id=2331298 (RHBZ#2331298) issue-tracking

cve.org (CVE-2024-12397)

nvd.nist.gov (CVE-2024-12397)

Download JSON