Bug 2330004 (CVE-2024-53990)

Summary: CVE-2024-53990 async-http-client: AsyncHttpClient (AHC) library's `CookieStore` replaces explicitly defined `Cookie`s
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: anstephe, asoldano, avibelli, bbaranow, bgeorges, bmaxwell, boliveir, brian.stansberry, cdewolf, chazlett, clement.escoffier, cmiranda, dandread, darran.lofthouse, dkreling, dosoudil, drichtar, fjuma, fmariani, fmongiar, gmalinko, gsmet, istudens, ivassile, iweiss, janstey, jkoops, jmartisk, jnethert, jpoth, lgao, lthon, manderse, mosmerov, msochure, msvehla, nwallace, olubyans, pcongius, pdelbell, pdrozd, peholase, pesilva, pgallagh, pjindal, pmackay, probinso, pskopek, rmartinc, rowaters, rruss, rstancel, rstepani, rsvoboda, sausingh, sbiarozk, smaestri, sthorger, tcunning, tom.jenkinson, tqvarnst, yfang
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the AsyncHttpClient (AHC) library. When making any HTTP request, the automatically enabled and self-managed CookieStore will silently replace explicitly defined cookies with any that have the same name from the CookieStore. For services that operate with multiple users, this can result in one user's cookie being used for another user's requests.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2024-12-02 18:01:20 UTC 
The AsyncHttpClient (AHC) library allows Java applications to easily execute HTTP requests and asynchronously process HTTP responses. When making any HTTP request, the automatically enabled and self-managed CookieStore (aka cookie jar) will silently replace explicitly defined Cookies with any that have the same name from the cookie jar. For services that operate with multiple users, this can result in one user's Cookie being used for another user's requests.
Comment 2 Chess Hazlett 2024-12-16 17:35:49 UTC 
fix: https://github.com/AsyncHttpClient/async-http-client/pull/2033/files
Comment 3 errata-xmlrpc 2025-02-05 13:53:24 UTC 
This issue has been addressed in the following products:

  Red Hat build of Apache Camel 4.8.3 for Spring Boot

Via RHSA-2025:1078 https://access.redhat.com/errata/RHSA-2025:1078