CVE-2023-4639
HIGHUndertow Cookie Parsing - HttpOnly Cookie Exfiltration and Spoofing
Title source: manualDescription
A flaw was found in Undertow, which incorrectly parses cookies with certain value-delimiting characters in incoming requests. This issue could allow an attacker to construct a cookie value to exfiltrate HttpOnly cookie values or spoof arbitrary additional cookie values, leading to unauthorized data access or modification. The main threat from this flaw impacts data confidentiality and integrity.
References (10)
Core 10
Core References
Vendor Advisory
https://security.netapp.com/advisory/ntap-20250207-0001/
Issue Tracking issue-tracking
x_refsource_redhat
https://bugzilla.redhat.com/show_bug.cgi?id=2166022
Vendor Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHSA-2024:1674
Vendor Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHSA-2024:1675
Vendor Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHSA-2024:1676
Vendor Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHSA-2024:1677
Vendor Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHSA-2024:2763
Vendor Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHSA-2024:2764
Vendor Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHSA-2024:3919
Vendor Advisory vdb-entry
x_refsource_redhat
https://access.redhat.com/security/cve/CVE-2023-4639
Scores
CVSS v3
7.4
EPSS
0.0112
EPSS Percentile
61.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-444
Status
published
Products (28)
io.undertow/undertow-core
2.3.0.Alpha1 - 2.3.11.FinalMaven
Red Hat/Migration Toolkit for Applications 6
Red Hat/Migration Toolkit for Runtimes 1 on RHEL 8
1.2-14
Red Hat/Migration Toolkit for Runtimes 1 on RHEL 8
1.2-15
Red Hat/Migration Toolkit for Runtimes 1 on RHEL 8
1.2-16
Red Hat/Migration Toolkit for Runtimes 1 on RHEL 8
1.2-23
Red Hat/Red Hat build of Apache Camel for Spring Boot 3
Red Hat/Red Hat build of Apicurio Registry
Red Hat/Red Hat build of Quarkus
Red Hat/Red Hat Data Grid 8
... and 18 more
Published
Nov 17, 2024
Tracked Since
Feb 18, 2026