Bug 2166022 (CVE-2023-4639)
Summary: | CVE-2023-4639 undertow: Cookie Smuggling/Spoofing | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Pedro Sampaio <psampaio> |
Component: | vulnerability | Assignee: | Nobody <nobody> |
Status: | NEW --- | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | ahanwate, aileenc, alampare, alazarot, anstephe, asoldano, avibelli, balejosg, bbaranow, bgeorges, bmaxwell, boliveir, brian.stansberry, ccranfor, cdewolf, chazlett, clement.escoffier, cmiranda, dandread, darran.lofthouse, dhanak, dkreling, dosoudil, dpalmer, drichtar, emingora, eric.wittmann, fjuma, fmariani, fmongiar, gjospin, gmalinko, gsmet, ibek, ivassile, iweiss, janstey, jcechace, jmartisk, jnethert, jpechane, jpoth, jrokos, jwon, kverlaen, lbacciot, lgao, lthon, max.andersen, mnovotny, mosmerov, msochure, mstefank, msvehla, mulliken, nwallace, olubyans, pantinor, pcattana, pcongius, pdelbell, pdrozd, peholase, pgallagh, pjindal, pmackay, probinso, pskopek, rguimara, rjohnson, rowaters, rruss, rstancel, rsvoboda, sausingh, sbiarozk, sdouglas, security-response-team, smaestri, sthorger, tcunning, tom.jenkinson, tqvarnst, yfang |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: |
A flaw was found in Undertow, which incorrectly parses cookies with certain value-delimiting characters in incoming requests. This issue could allow an attacker to construct a cookie value to exfiltrate HttpOnly cookie values or spoof arbitrary additional cookie values, leading to unauthorized data access or modification. The main threat from this flaw impacts data confidentiality and integrity.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | Type: | --- | |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 2166023 |
Description
Pedro Sampaio
2023-01-31 17:54:54 UTC
*** Bug 2166023 has been marked as a duplicate of this bug. *** This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9 Via RHSA-2024:1676 https://access.redhat.com/errata/RHSA-2024:1676 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8 Via RHSA-2024:1675 https://access.redhat.com/errata/RHSA-2024:1675 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7 Via RHSA-2024:1674 https://access.redhat.com/errata/RHSA-2024:1674 This issue has been addressed in the following products: EAP 7.4.16 Via RHSA-2024:1677 https://access.redhat.com/errata/RHSA-2024:1677 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform Via RHSA-2024:2763 https://access.redhat.com/errata/RHSA-2024:2763 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8 Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9 Via RHSA-2024:2764 https://access.redhat.com/errata/RHSA-2024:2764 |