CVE-2024-12397: Io.quarkus.http/quarkus-http-core: quarkus http cookie smuggling

Description

A flaw was found in Quarkus-HTTP, which incorrectly parses cookies with
certain value-delimiting characters in incoming requests. This issue could
allow an attacker to construct a cookie value to exfiltrate HttpOnly cookie
values or spoof arbitrary additional cookie values, leading to unauthorized
data access or modification. The main threat from this flaw impacts data
confidentiality and integrity.

Classification

CVE ID: CVE-2024-12397

Affected Products

Vendor: Red Hat

Product: Cryostat 3

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.09% (probability of being exploited)

EPSS Percentile: 40.72% (scored less or equal to compared to others)

EPSS Date: 2025-02-04 (when was this score calculated)

References

https://access.redhat.com/security/cve/CVE-2024-12397
https://bugzilla.redhat.com/show_bug.cgi?id=2331298

Timeline

2024-12-12 20:15:18 UTC
Github Advisory Database (Maven)

[io.quarkus.http:quarkus-http-core] io.quarkus.http/quarkus-http-core: Quarkus HTTP Cookie Smuggling
2024-12-13 00:30:31 UTC
CVE

Io.quarkus.http/quarkus-http-core: quarkus http cookie smuggling