CVE-2024-12397

HIGH

Io.quarkus.http Quarkus-http-core < 5.3.4 - HTTP Request Smuggling

Title source: rule

Description

A flaw was found in Quarkus-HTTP, which incorrectly parses cookies with certain value-delimiting characters in incoming requests. This issue could allow an attacker to construct a cookie value to exfiltrate HttpOnly cookie values or spoof arbitrary additional cookie values, leading to unauthorized data access or modification. The main threat from this flaw impacts data confidentiality and integrity.

References (5)

[Vendor Advisory] https://access.redhat.com/errata/RHSA-2025:0900

[Vendor Advisory] https://access.redhat.com/errata/RHSA-2025:3018

[Vendor Advisory] https://access.redhat.com/errata/RHSA-2025:8761

[Vendor Advisory] https://access.redhat.com/security/cve/CVE-2024-12397

[Issue Tracking] https://bugzilla.redhat.com/show_bug.cgi?id=2331298

Scores

CVSS v3 7.4

EPSS 0.0042

EPSS Percentile 62.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-444

Status published

Products (16)

io.quarkus.http/quarkus-http-core 0 - 5.3.4Maven

Red Hat/Cryostat 3

Red Hat/Cryostat 4 on RHEL 9 0.5.0-6

Red Hat/Cryostat 4 on RHEL 9 4.0.0-7

Red Hat/HawtIO HawtIO 4.2.0

Red Hat/Red Hat build of Apache Camel 4 for Quarkus 3

Red Hat/Red Hat build of Apicurio Registry 2

Red Hat/Red Hat Build of Keycloak

Red Hat/Red Hat build of OptaPlanner 8

Red Hat/Red Hat build of Quarkus 3.15.3

... and 6 more

Published Dec 12, 2024

Tracked Since Feb 18, 2026