CVE-2024-12397

HIGH

Quarkus-HTTP < 5.3.4 - HTTP Request Smuggling via Cookie Parsing

Title source: llm

Description

A flaw was found in Quarkus-HTTP, which incorrectly parses cookies with certain value-delimiting characters in incoming requests. This issue could allow an attacker to construct a cookie value to exfiltrate HttpOnly cookie values or spoof arbitrary additional cookie values, leading to unauthorized data access or modification. The main threat from this flaw impacts data confidentiality and integrity.

References (5)

Core 5

Core References

Vendor Advisory vendor-advisory x_refsource_redhat

https://access.redhat.com/errata/RHSA-2025:0900

Vendor Advisory vendor-advisory x_refsource_redhat

https://access.redhat.com/errata/RHSA-2025:3018

Vendor Advisory vendor-advisory x_refsource_redhat

https://access.redhat.com/errata/RHSA-2025:8761

Vendor Advisory vdb-entry x_refsource_redhat

https://access.redhat.com/security/cve/CVE-2024-12397

Issue Tracking issue-tracking x_refsource_redhat

https://bugzilla.redhat.com/show_bug.cgi?id=2331298

Scores

CVSS v3 7.4

EPSS 0.0075

EPSS Percentile 50.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-444

Status published

Products (16)

io.quarkus.http/quarkus-http-core 0 - 5.3.4Maven

Red Hat/Cryostat 3

Red Hat/Cryostat 4 on RHEL 9 0.5.0-6

Red Hat/Cryostat 4 on RHEL 9 4.0.0-7

Red Hat/HawtIO HawtIO 4.2.0

Red Hat/Red Hat build of Apache Camel 4 for Quarkus 3

Red Hat/Red Hat build of Apicurio Registry 2

Red Hat/Red Hat Build of Keycloak

Red Hat/Red Hat build of OptaPlanner 8

Red Hat/Red Hat build of Quarkus 3.15.3

... and 6 more

Published Dec 12, 2024

Tracked Since Feb 18, 2026