2331298 – (CVE-2024-12397) CVE-2024-12397 io.quarkus.http/quarkus-http-core: Quarkus HTTP Cookie Smuggling

Bug 2331298 (CVE-2024-12397) - CVE-2024-12397 io.quarkus.http/quarkus-http-core: Quarkus HTTP Cookie Smuggling

Summary: CVE-2024-12397 io.quarkus.http/quarkus-http-core: Quarkus HTTP Cookie Smuggling

Keywords:
Status:	NEW
Alias:	CVE-2024-12397
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2024-12-10 01:22 UTC by OSIDB Bzimport
Modified:	2025-06-10 10:39 UTC (History)
CC List:	92 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2025:1082	None	None	None	2025-02-05 15:03:50 UTC
Red Hat Product Errata	RHSA-2025:3018	None	None	None	2025-03-19 20:36:51 UTC
Red Hat Product Errata	RHSA-2025:8761	None	None	None	2025-06-10 10:39:42 UTC

Description OSIDB Bzimport 2024-12-10 01:22:42 UTC

A flaw was found in Quarkus-HTTP, which incorrectly parses cookies with
certain value-delimiting characters in incoming requests. This issue could
allow an attacker to construct a cookie value to exfiltrate HttpOnly cookie
values or spoof arbitrary additional cookie values, leading to unauthorized
data access or modification. The main threat from this flaw impacts data
confidentiality and integrity.

Comment 3 errata-xmlrpc 2025-02-05 15:03:45 UTC

This issue has been addressed in the following products:

  Red Hat Build of Apache Camel 4.8 for Quarkus 3.15

Via RHSA-2025:1082 https://access.redhat.com/errata/RHSA-2025:1082

Comment 5 errata-xmlrpc 2025-03-19 20:36:46 UTC

This issue has been addressed in the following products:

  Cryostat 4 on RHEL 9

Via RHSA-2025:3018 https://access.redhat.com/errata/RHSA-2025:3018

Comment 7 errata-xmlrpc 2025-06-10 10:39:35 UTC

This issue has been addressed in the following products:

  HawtIO HawtIO 4.2.0

Via RHSA-2025:8761 https://access.redhat.com/errata/RHSA-2025:8761

Note You need to log in before you can comment on or make changes to this bug.

aazores
abrianik
adupliak
anstephe
aschwart
asoldano
avibelli
bbaranow
bgeorges
bihu
bmaxwell
boliveir
brian.stansberry
ccranfor
cdewolf
chazlett
chfoley
clement.escoffier
cmah
cmiranda
dandread
darran.lofthouse
dhanak
dkreling
dosoudil
drichtar
eaguilar
ebaron
ecerquei
eric.wittmann
fjuma
fmongiar
ggrzybek
gmalinko
gsmet
ibek
istudens
ivassile
iweiss
janstey
jkoops
jmartisk
jnethert
jolong
jpechane
jrokos
jscholz
kverlaen
lgao
lthon
manderse
mnovotny
mosmerov
mposolda
msochure
msvehla
nipatil
nwallace
olubyans
pantinor
parichar
pcongius
pdelbell
pdrozd
peholase
pesilva
pgallagh
pjindal
pmackay
probinso
pskopek
rguimara
rkubis
rmartinc
rowaters
rruss
rstancel
rstepani
rsvoboda
saroy
sausingh
sbiarozk
sfroberg
smaestri
ssilvert
sthorger
swoodman
tasato
tom.jenkinson
tqvarnst
vmuzikar
wfink