CVE-2024-12397 Information

Description

A flaw was found in Quarkus-HTTP which incorrectly parses cookies with certain value-delimiting characters in incoming requests. This issue could allow an attacker to construct a cookie value to exfiltrate HttpOnly cookie values or spoof arbitrary additional cookie values leading to unauthorized data access or modification. The main threat from this flaw impacts data confidentiality and integrity.

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

Reference

https://access.redhat.com/security/cve/CVE-2024-12397 https://bugzilla.redhat.com/show_bug.cgi?id=2331298

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction Required

NONE

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

HIGH

Availability Impact

HIGH

Base Score

NONE

Base Severity

7.4