CVE-2023-4639 Information

Description

A flaw was found in Undertow which incorrectly parses cookies with certain value-delimiting characters in incoming requests. This issue could allow an attacker to construct a cookie value to exfiltrate HttpOnly cookie values or spoof arbitrary additional cookie values leading to unauthorized data access or modification. The main threat from this flaw impacts data confidentiality and integrity.

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

Reference

https://access.redhat.com/errata/RHSA-2024:1674 https://access.redhat.com/errata/RHSA-2024:1675 https://access.redhat.com/errata/RHSA-2024:1676 https://access.redhat.com/errata/RHSA-2024:1677 https://access.redhat.com/errata/RHSA-2024:2763 https://access.redhat.com/errata/RHSA-2024:2764 https://access.redhat.com/errata/RHSA-2024:3919 https://access.redhat.com/security/cve/CVE-2023-4639 https://bugzilla.redhat.com/show_bug.cgi?id=2166022

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction Required

NONE

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

HIGH

Availability Impact

HIGH

Base Score

NONE

Base Severity

7.4