Bug 2331298 (CVE-2024-12397)

Summary: CVE-2024-12397 io.quarkus.http/quarkus-http-core: Quarkus HTTP Cookie Smuggling
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aazores, abrianik, adupliak, anstephe, aschwart, asoldano, avibelli, bbaranow, bgeorges, bihu, bmaxwell, boliveir, brian.stansberry, ccranfor, cdewolf, chazlett, chfoley, clement.escoffier, cmah, cmiranda, dandread, darran.lofthouse, dhanak, dkreling, dosoudil, drichtar, eaguilar, ebaron, ecerquei, eric.wittmann, fjuma, fmongiar, ggrzybek, gmalinko, gsmet, ibek, istudens, ivassile, iweiss, janstey, jkoops, jmartisk, jnethert, jolong, jpechane, jrokos, jscholz, kverlaen, lgao, lthon, manderse, mnovotny, mosmerov, mposolda, msochure, msvehla, nipatil, nwallace, olubyans, pantinor, parichar, pcongius, pdelbell, pdrozd, peholase, pesilva, pgallagh, pjindal, pmackay, probinso, pskopek, rguimara, rkubis, rmartinc, rowaters, rruss, rstancel, rstepani, rsvoboda, saroy, sausingh, sbiarozk, sfroberg, smaestri, ssilvert, sthorger, swoodman, tasato, tom.jenkinson, tqvarnst, vmuzikar, wfink
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in Quarkus-HTTP, which incorrectly parses cookies with certain value-delimiting characters in incoming requests. This issue could allow an attacker to construct a cookie value to exfiltrate HttpOnly cookie values or spoof arbitrary additional cookie values, leading to unauthorized data access or modification. The main threat from this flaw impacts data confidentiality and integrity.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2024-12-10 01:22:42 UTC 
A flaw was found in Quarkus-HTTP, which incorrectly parses cookies with
certain value-delimiting characters in incoming requests. This issue could
allow an attacker to construct a cookie value to exfiltrate HttpOnly cookie
values or spoof arbitrary additional cookie values, leading to unauthorized
data access or modification. The main threat from this flaw impacts data
confidentiality and integrity.
Comment 3 errata-xmlrpc 2025-02-05 15:03:45 UTC 
This issue has been addressed in the following products:

  Red Hat Build of Apache Camel 4.8 for Quarkus 3.15

Via RHSA-2025:1082 https://access.redhat.com/errata/RHSA-2025:1082
Comment 5 errata-xmlrpc 2025-03-19 20:36:46 UTC 
This issue has been addressed in the following products:

  Cryostat 4 on RHEL 9

Via RHSA-2025:3018 https://access.redhat.com/errata/RHSA-2025:3018
Comment 7 errata-xmlrpc 2025-06-10 10:39:35 UTC 
This issue has been addressed in the following products:

  HawtIO HawtIO 4.2.0

Via RHSA-2025:8761 https://access.redhat.com/errata/RHSA-2025:8761