CVE-2024-12397

Source
https://cve.org/CVERecord?id=CVE-2024-12397
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-12397.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2024-12397
Aliases
Related
Published
2024-12-12T09:05:28.451Z
Modified
2026-07-08T07:47:10.998323408Z
Severity
  • 7.4 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N CVSS Calculator
Summary
Io.quarkus.http/quarkus-http-core: quarkus http cookie smuggling
Details

A flaw was found in Quarkus-HTTP, which incorrectly parses cookies with certain value-delimiting characters in incoming requests. This issue could allow an attacker to construct a cookie value to exfiltrate HttpOnly cookie values or spoof arbitrary additional cookie values, leading to unauthorized data access or modification. The main threat from this flaw impacts data confidentiality and integrity.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/12xxx/CVE-2024-12397.json",
    "cwe_ids": [
        "CWE-444"
    ],
    "cna_assigner": "redhat"
}
References

Affected packages

Git / github.com/quarkusio/quarkus-http

Affected ranges

Type
GIT
Repo
https://github.com/quarkusio/quarkus-http
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "source": "AFFECTED_FIELD",
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "5.3.4"
        }
    ]
}

Affected versions

3.*
3.0.0.Alpha1
3.0.0.Alpha2
3.0.0.Alpha3
3.0.0.Alpha4
3.0.0.Alpha5
3.0.0.Alpha6
3.0.0.Alpha7
3.0.0.Beta1
3.0.0.Beta2
3.0.0.Beta3
3.0.0.Final
3.0.1.Final
3.0.10.Final
3.0.11.Final
3.0.12.Final
3.0.13.Final
3.0.14.Final
3.0.15.Final
3.0.16.Final
3.0.17.Final
3.0.18.Final
3.0.2.Final
3.0.3.Final
3.0.4.Final
3.0.5.Final
3.0.6.Final
3.0.7.Final
3.0.8.Final
3.0.9.Final
3.1.0.Beta1
3.1.0.Beta2
3.1.0.Final
3.1.1.Final
4.*
4.0.0
4.1.0
4.1.1
4.1.2
4.1.3
4.1.4
4.1.5
4.1.6
4.1.7
4.1.8
4.1.9
4.2.0
4.2.1
5.*
5.0.0.Final
5.0.1.Final
5.0.2.Final
5.0.3.Final
5.1.0.Final
5.2.0.Final
5.2.1.Final
5.2.2.Final
5.3.0
5.3.1
5.3.2
5.3.3

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-12397.json"