{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-12397", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "state": "PUBLISHED", "assignerShortName": "redhat", "dateReserved": "2024-12-10T01:22:12.303Z", "datePublished": "2024-12-12T09:05:28.451Z", "dateUpdated": "2025-06-10T17:49:44.230Z"}, "containers": {"cna": {"title": "Io.quarkus.http/quarkus-http-core: quarkus http cookie smuggling", "metrics": [{"other": {"content": {"value": "Moderate", "namespace": "https://access.redhat.com/security/updates/classification/"}, "type": "Red Hat severity rating"}}, {"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "format": "CVSS"}], "descriptions": [{"lang": "en", "value": "A flaw was found in Quarkus-HTTP, which incorrectly parses cookies with\ncertain value-delimiting characters in incoming requests. This issue could\nallow an attacker to construct a cookie value to exfiltrate HttpOnly cookie\nvalues or spoof arbitrary additional cookie values, leading to unauthorized\ndata access or modification. The main threat from this flaw impacts data\nconfidentiality and integrity."}], "affected": [{"versions": [{"status": "affected", "version": "0", "lessThan": "5.3.4", "versionType": "semver"}], "packageName": "quarkus-http", "collectionURL": "https://github.com/quarkusio/quarkus-http", "defaultStatus": "unaffected"}, {"vendor": "Red Hat", "product": "Cryostat 4 on RHEL 9", "collectionURL": "https://catalog.redhat.com/software/containers/", "packageName": "cryostat/cryostat-agent-init-rhel9", "defaultStatus": "affected", "versions": [{"version": "0.5.0-6", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:cryostat:4::el9"]}, {"vendor": "Red Hat", "product": "Cryostat 4 on RHEL 9", "collectionURL": "https://catalog.redhat.com/software/containers/", "packageName": "cryostat/cryostat-db-rhel9", "defaultStatus": "affected", "versions": [{"version": "4.0.0-7", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:cryostat:4::el9"]}, {"vendor": "Red Hat", "product": "Cryostat 4 on RHEL 9", "collectionURL": "https://catalog.redhat.com/software/containers/", "packageName": "cryostat/cryostat-grafana-dashboard-rhel9", "defaultStatus": "affected", "versions": [{"version": "4.0.0-7", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:cryostat:4::el9"]}, {"vendor": "Red Hat", "product": "Cryostat 4 on RHEL 9", "collectionURL": "https://catalog.redhat.com/software/containers/", "packageName": "cryostat/cryostat-openshift-console-plugin-rhel9", "defaultStatus": "affected", "versions": [{"version": "4.0.0-7", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:cryostat:4::el9"]}, {"vendor": "Red Hat", "product": "Cryostat 4 on RHEL 9", "collectionURL": "https://catalog.redhat.com/software/containers/", "packageName": "cryostat/cryostat-operator-bundle", "defaultStatus": "affected", "versions": [{"version": "4.0.0-7", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:cryostat:4::el9"]}, {"vendor": "Red Hat", "product": "Cryostat 4 on RHEL 9", "collectionURL": "https://catalog.redhat.com/software/containers/", "packageName": "cryostat/cryostat-ose-oauth-proxy-rhel9", "defaultStatus": "affected", "versions": [{"version": "4.0.0-7", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:cryostat:4::el9"]}, {"vendor": "Red Hat", "product": "Cryostat 4 on RHEL 9", "collectionURL": "https://catalog.redhat.com/software/containers/", "packageName": "cryostat/cryostat-reports-rhel9", "defaultStatus": "affected", "versions": [{"version": "4.0.0-7", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:cryostat:4::el9"]}, {"vendor": "Red Hat", "product": "Cryostat 4 on RHEL 9", "collectionURL": "https://catalog.redhat.com/software/containers/", "packageName": "cryostat/cryostat-rhel9", "defaultStatus": "affected", "versions": [{"version": "4.0.0-7", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:cryostat:4::el9"]}, {"vendor": "Red Hat", "product": "Cryostat 4 on RHEL 9", "collectionURL": "https://catalog.redhat.com/software/containers/", "packageName": "cryostat/cryostat-rhel9-operator", "defaultStatus": "affected", "versions": [{"version": "4.0.0-7", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:cryostat:4::el9"]}, {"vendor": "Red Hat", "product": "Cryostat 4 on RHEL 9", "collectionURL": "https://catalog.redhat.com/software/containers/", "packageName": "cryostat/cryostat-storage-rhel9", "defaultStatus": "affected", "versions": [{"version": "4.0.0-7", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:cryostat:4::el9"]}, {"vendor": "Red Hat", "product": "Cryostat 4 on RHEL 9", "collectionURL": "https://catalog.redhat.com/software/containers/", "packageName": "cryostat/jfr-datasource-rhel9", "defaultStatus": "affected", "versions": [{"version": "4.0.0-7", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:cryostat:4::el9"]}, {"vendor": "Red Hat", "product": "HawtIO HawtIO 4.2.0", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "unaffected", "packageName": "io.quarkus.http/quarkus-http-core", "cpes": ["cpe:/a:redhat:apache_camel_hawtio:4.2::el6"]}, {"vendor": "Red Hat", "product": "Red Hat build of Quarkus 3.15.3", "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html", "defaultStatus": "unaffected", "packageName": "io.quarkus.http/quarkus-http-core", "cpes": ["cpe:/a:redhat:quarkus:3.15::el8"]}, {"vendor": "Red Hat", "product": "Cryostat 3", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "io.quarkus.http/quarkus-http-core", "defaultStatus": "affected", "cpes": ["cpe:/a:redhat:cryostat:3"]}, {"vendor": "Red Hat", "product": "Red Hat build of Apache Camel 4 for Quarkus 3", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "com.redhat.quarkus.platform/quarkus-camel-bom", "defaultStatus": "affected", "cpes": ["cpe:/a:redhat:camel_quarkus:3"]}, {"vendor": "Red Hat", "product": "Red Hat build of Apache Camel 4 for Quarkus 3", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "com.redhat.quarkus.platform/quarkus-cxf-bom", "defaultStatus": "affected", "cpes": ["cpe:/a:redhat:camel_quarkus:3"]}, {"vendor": "Red Hat", "product": "Red Hat build of Apache Camel - HawtIO 4", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "io.quarkus.http/quarkus-http-core", "defaultStatus": "affected", "cpes": ["cpe:/a:redhat:rhboac_hawtio:4"]}, {"vendor": "Red Hat", "product": "Red Hat build of Apicurio Registry 2", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "io.quarkus.http/quarkus-http-core", "defaultStatus": "affected", "cpes": ["cpe:/a:redhat:service_registry:2"]}, {"vendor": "Red Hat", "product": "Red Hat Build of Keycloak", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "io.quarkus.http/quarkus-http-core", "defaultStatus": "affected", "cpes": ["cpe:/a:redhat:build_keycloak:"]}, {"vendor": "Red Hat", "product": "Red Hat build of OptaPlanner 8", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "io.quarkus.http/quarkus-http-core", "defaultStatus": "affected", "cpes": ["cpe:/a:redhat:optaplanner:::el6"]}, {"vendor": "Red Hat", "product": "Red Hat Fuse 7", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "io.quarkus.http/quarkus-http-core", "defaultStatus": "unknown", "cpes": ["cpe:/a:redhat:jboss_fuse:7"]}, {"vendor": "Red Hat", "product": "Red Hat Integration Camel K 1", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "io.quarkus.http/quarkus-http-core", "defaultStatus": "affected", "cpes": ["cpe:/a:redhat:integration:1"]}, {"vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 8", "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html", "packageName": "io.quarkus.http/quarkus-http-core", "defaultStatus": "unaffected", "cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:8"]}, {"vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform Expansion Pack", "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html", "packageName": "io.quarkus.http/quarkus-http-core", "defaultStatus": "unaffected", "cpes": ["cpe:/a:redhat:jbosseapxp"]}, {"vendor": "Red Hat", "product": "Red Hat Process Automation 7", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "io.quarkus.http/quarkus-http-core", "defaultStatus": "affected", "cpes": ["cpe:/a:redhat:jboss_enterprise_bpms_platform:7"]}, {"vendor": "Red Hat", "product": "streams for Apache Kafka", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "io.quarkus.http/quarkus-http-core", "defaultStatus": "affected", "cpes": ["cpe:/a:redhat:amq_streams:1"]}], "references": [{"url": "https://access.redhat.com/errata/RHSA-2025:0900", "name": "RHSA-2025:0900", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2025:3018", "name": "RHSA-2025:3018", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2025:8761", "name": "RHSA-2025:8761", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/security/cve/CVE-2024-12397", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2331298", "name": "RHBZ#2331298", "tags": ["issue-tracking", "x_refsource_REDHAT"]}], "datePublic": "2024-12-10T00:00:00.000Z", "problemTypes": [{"descriptions": [{"cweId": "CWE-444", "description": "Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')", "lang": "en", "type": "CWE"}]}], "x_redhatCweChain": "CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')", "workarounds": [{"lang": "en", "value": "Currently, no mitigation is available for this vulnerability."}], "timeline": [{"lang": "en", "time": "2024-12-10T01:15:33.380000+00:00", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2024-12-10T00:00:00+00:00", "value": "Made public."}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2025-06-10T17:49:44.230Z"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-12-12T15:31:47.316503Z", "id": "CVE-2024-12397", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-12-12T15:45:08.143Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-12397", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-12-12T15:31:47.316503Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-12-12T15:31:48.532Z"}}], "cna": {"title": "Io.quarkus.http/quarkus-http-core: quarkus http cookie smuggling", "metrics": [{"other": {"type": "Red Hat severity rating", "content": {"value": "Moderate", "namespace": "https://access.redhat.com/security/updates/classification/"}}}, {"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.4, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"versions": [{"status": "affected", "version": "0", "lessThan": "5.3.4", "versionType": "semver"}], "packageName": "quarkus-http", "collectionURL": "https://github.com/quarkusio/quarkus-http", "defaultStatus": "unaffected"}, {"cpes": ["cpe:/a:redhat:cryostat:4::el9"], "vendor": "Red Hat", "product": "Cryostat 4 on RHEL 9", "versions": [{"status": "unaffected", "version": "0.5.0-6", "lessThan": "*", "versionType": "rpm"}], "packageName": "cryostat/cryostat-agent-init-rhel9", "collectionURL": "https://catalog.redhat.com/software/containers/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:cryostat:4::el9"], "vendor": "Red Hat", "product": "Cryostat 4 on RHEL 9", "versions": [{"status": "unaffected", "version": "4.0.0-7", "lessThan": "*", "versionType": "rpm"}], "packageName": "cryostat/cryostat-db-rhel9", "collectionURL": "https://catalog.redhat.com/software/containers/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:cryostat:4::el9"], "vendor": "Red Hat", "product": "Cryostat 4 on RHEL 9", "versions": [{"status": "unaffected", "version": "4.0.0-7", "lessThan": "*", "versionType": "rpm"}], "packageName": "cryostat/cryostat-grafana-dashboard-rhel9", "collectionURL": "https://catalog.redhat.com/software/containers/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:cryostat:4::el9"], "vendor": "Red Hat", "product": "Cryostat 4 on RHEL 9", "versions": [{"status": "unaffected", "version": "4.0.0-7", "lessThan": "*", "versionType": "rpm"}], "packageName": "cryostat/cryostat-openshift-console-plugin-rhel9", "collectionURL": "https://catalog.redhat.com/software/containers/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:cryostat:4::el9"], "vendor": "Red Hat", "product": "Cryostat 4 on RHEL 9", "versions": [{"status": "unaffected", "version": "4.0.0-7", "lessThan": "*", "versionType": "rpm"}], "packageName": "cryostat/cryostat-operator-bundle", "collectionURL": "https://catalog.redhat.com/software/containers/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:cryostat:4::el9"], "vendor": "Red Hat", "product": "Cryostat 4 on RHEL 9", "versions": [{"status": "unaffected", "version": "4.0.0-7", "lessThan": "*", "versionType": "rpm"}], "packageName": "cryostat/cryostat-ose-oauth-proxy-rhel9", "collectionURL": "https://catalog.redhat.com/software/containers/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:cryostat:4::el9"], "vendor": "Red Hat", "product": "Cryostat 4 on RHEL 9", "versions": [{"status": "unaffected", "version": "4.0.0-7", "lessThan": "*", "versionType": "rpm"}], "packageName": "cryostat/cryostat-reports-rhel9", "collectionURL": "https://catalog.redhat.com/software/containers/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:cryostat:4::el9"], "vendor": "Red Hat", "product": "Cryostat 4 on RHEL 9", "versions": [{"status": "unaffected", "version": "4.0.0-7", "lessThan": "*", "versionType": "rpm"}], "packageName": "cryostat/cryostat-rhel9", "collectionURL": "https://catalog.redhat.com/software/containers/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:cryostat:4::el9"], "vendor": "Red Hat", "product": "Cryostat 4 on RHEL 9", "versions": [{"status": "unaffected", "version": "4.0.0-7", "lessThan": "*", "versionType": "rpm"}], "packageName": "cryostat/cryostat-rhel9-operator", "collectionURL": "https://catalog.redhat.com/software/containers/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:cryostat:4::el9"], "vendor": "Red Hat", "product": "Cryostat 4 on RHEL 9", "versions": [{"status": "unaffected", "version": "4.0.0-7", "lessThan": "*", "versionType": "rpm"}], "packageName": "cryostat/cryostat-storage-rhel9", "collectionURL": "https://catalog.redhat.com/software/containers/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:cryostat:4::el9"], "vendor": "Red Hat", "product": "Cryostat 4 on RHEL 9", "versions": [{"status": "unaffected", "version": "4.0.0-7", "lessThan": "*", "versionType": "rpm"}], "packageName": "cryostat/jfr-datasource-rhel9", "collectionURL": "https://catalog.redhat.com/software/containers/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:apache_camel_hawtio:4.2::el6"], "vendor": "Red Hat", "product": "HawtIO HawtIO 4.2.0", "packageName": "io.quarkus.http/quarkus-http-core", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "unaffected"}, {"cpes": ["cpe:/a:redhat:quarkus:3.15::el8"], "vendor": "Red Hat", "product": "Red Hat build of Quarkus 3.15.3", "packageName": "io.quarkus.http/quarkus-http-core", "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html", "defaultStatus": "unaffected"}, {"cpes": ["cpe:/a:redhat:cryostat:3"], "vendor": "Red Hat", "product": "Cryostat 3", "packageName": "io.quarkus.http/quarkus-http-core", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:camel_quarkus:3"], "vendor": "Red Hat", "product": "Red Hat build of Apache Camel 4 for Quarkus 3", "packageName": "com.redhat.quarkus.platform/quarkus-camel-bom", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:camel_quarkus:3"], "vendor": "Red Hat", "product": "Red Hat build of Apache Camel 4 for Quarkus 3", "packageName": "com.redhat.quarkus.platform/quarkus-cxf-bom", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:rhboac_hawtio:4"], "vendor": "Red Hat", "product": "Red Hat build of Apache Camel - HawtIO 4", "packageName": "io.quarkus.http/quarkus-http-core", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:service_registry:2"], "vendor": "Red Hat", "product": "Red Hat build of Apicurio Registry 2", "packageName": "io.quarkus.http/quarkus-http-core", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:build_keycloak:"], "vendor": "Red Hat", "product": "Red Hat Build of Keycloak", "packageName": "io.quarkus.http/quarkus-http-core", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:optaplanner:::el6"], "vendor": "Red Hat", "product": "Red Hat build of OptaPlanner 8", "packageName": "io.quarkus.http/quarkus-http-core", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:jboss_fuse:7"], "vendor": "Red Hat", "product": "Red Hat Fuse 7", "packageName": "io.quarkus.http/quarkus-http-core", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "unknown"}, {"cpes": ["cpe:/a:redhat:integration:1"], "vendor": "Red Hat", "product": "Red Hat Integration Camel K 1", "packageName": "io.quarkus.http/quarkus-http-core", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:8"], "vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 8", "packageName": "io.quarkus.http/quarkus-http-core", "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html", "defaultStatus": "unaffected"}, {"cpes": ["cpe:/a:redhat:jbosseapxp"], "vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform Expansion Pack", "packageName": "io.quarkus.http/quarkus-http-core", "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html", "defaultStatus": "unaffected"}, {"cpes": ["cpe:/a:redhat:jboss_enterprise_bpms_platform:7"], "vendor": "Red Hat", "product": "Red Hat Process Automation 7", "packageName": "io.quarkus.http/quarkus-http-core", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:amq_streams:1"], "vendor": "Red Hat", "product": "streams for Apache Kafka", "packageName": "io.quarkus.http/quarkus-http-core", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}], "timeline": [{"lang": "en", "time": "2024-12-10T01:15:33.380000+00:00", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2024-12-10T00:00:00+00:00", "value": "Made public."}], "datePublic": "2024-12-10T00:00:00.000Z", "references": [{"url": "https://access.redhat.com/errata/RHSA-2025:0900", "name": "RHSA-2025:0900", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2025:3018", "name": "RHSA-2025:3018", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2025:8761", "name": "RHSA-2025:8761", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/security/cve/CVE-2024-12397", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2331298", "name": "RHBZ#2331298", "tags": ["issue-tracking", "x_refsource_REDHAT"]}], "workarounds": [{"lang": "en", "value": "Currently, no mitigation is available for this vulnerability."}], "descriptions": [{"lang": "en", "value": "A flaw was found in Quarkus-HTTP, which incorrectly parses cookies with\ncertain value-delimiting characters in incoming requests. This issue could\nallow an attacker to construct a cookie value to exfiltrate HttpOnly cookie\nvalues or spoof arbitrary additional cookie values, leading to unauthorized\ndata access or modification. The main threat from this flaw impacts data\nconfidentiality and integrity."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-444", "description": "Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')"}]}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2025-06-10T17:49:44.230Z"}, "x_redhatCweChain": "CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')"}}, "cveMetadata": {"cveId": "CVE-2024-12397", "state": "PUBLISHED", "dateUpdated": "2025-06-10T17:49:44.230Z", "dateReserved": "2024-12-10T01:22:12.303Z", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "datePublished": "2024-12-12T09:05:28.451Z", "assignerShortName": "redhat"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw was found in Quarkus-HTTP, which incorrectly parses cookies with\ncertain value-delimiting characters in incoming requests. This issue could\nallow an attacker to construct a cookie value to exfiltrate HttpOnly cookie\nvalues or spoof arbitrary additional cookie values, leading to unauthorized\ndata access or modification. The main threat from this flaw impacts data\nconfidentiality and integrity."}, {"lang": "es", "value": "Se encontr\u00f3 una falla en Quarkus-HTTP que analiza incorrectamente las cookies con ciertos caracteres que delimitan valores en las solicitudes entrantes. Este problema podr\u00eda permitir que un atacante construya un valor de cookie para extraer valores de cookies HttpOnly o falsificar valores de cookies adicionales arbitrarios, lo que lleva a un acceso o modificaci\u00f3n de datos no autorizados. La principal amenaza de esta falla afecta la confidencialidad e integridad de los datos."}], "id": "CVE-2024-12397", "lastModified": "2025-06-10T11:15:21.283", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 5.2, "source": "secalert@redhat.com", "type": "Secondary"}]}, "published": "2024-12-12T09:15:05.570", "references": [{"source": "secalert@redhat.com", "url": "https://access.redhat.com/errata/RHSA-2025:0900"}, {"source": "secalert@redhat.com", "url": "https://access.redhat.com/errata/RHSA-2025:3018"}, {"source": "secalert@redhat.com", "url": "https://access.redhat.com/errata/RHSA-2025:8761"}, {"source": "secalert@redhat.com", "url": "https://access.redhat.com/security/cve/CVE-2024-12397"}, {"source": "secalert@redhat.com", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2331298"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-444"}], "source": "secalert@redhat.com", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2025:3018", "cpe": "cpe:/a:redhat:cryostat:4::el9", "package": "cryostat/cryostat-agent-init-rhel9:0.5.0-6", "product_name": "Cryostat 4 on RHEL 9", "release_date": "2025-03-19T00:00:00Z"}, {"advisory": "RHSA-2025:3018", "cpe": "cpe:/a:redhat:cryostat:4::el9", "package": "cryostat/cryostat-db-rhel9:4.0.0-7", "product_name": "Cryostat 4 on RHEL 9", "release_date": "2025-03-19T00:00:00Z"}, {"advisory": "RHSA-2025:3018", "cpe": "cpe:/a:redhat:cryostat:4::el9", "package": "cryostat/cryostat-grafana-dashboard-rhel9:4.0.0-7", "product_name": "Cryostat 4 on RHEL 9", "release_date": "2025-03-19T00:00:00Z"}, {"advisory": "RHSA-2025:3018", "cpe": "cpe:/a:redhat:cryostat:4::el9", "package": "cryostat/cryostat-openshift-console-plugin-rhel9:4.0.0-7", "product_name": "Cryostat 4 on RHEL 9", "release_date": "2025-03-19T00:00:00Z"}, {"advisory": "RHSA-2025:3018", "cpe": "cpe:/a:redhat:cryostat:4::el9", "package": "cryostat/cryostat-operator-bundle:4.0.0-7", "product_name": "Cryostat 4 on RHEL 9", "release_date": "2025-03-19T00:00:00Z"}, {"advisory": "RHSA-2025:3018", "cpe": "cpe:/a:redhat:cryostat:4::el9", "package": "cryostat/cryostat-ose-oauth-proxy-rhel9:4.0.0-7", "product_name": "Cryostat 4 on RHEL 9", "release_date": "2025-03-19T00:00:00Z"}, {"advisory": "RHSA-2025:3018", "cpe": "cpe:/a:redhat:cryostat:4::el9", "package": "cryostat/cryostat-reports-rhel9:4.0.0-7", "product_name": "Cryostat 4 on RHEL 9", "release_date": "2025-03-19T00:00:00Z"}, {"advisory": "RHSA-2025:3018", "cpe": "cpe:/a:redhat:cryostat:4::el9", "package": "cryostat/cryostat-rhel9:4.0.0-7", "product_name": "Cryostat 4 on RHEL 9", "release_date": "2025-03-19T00:00:00Z"}, {"advisory": "RHSA-2025:3018", "cpe": "cpe:/a:redhat:cryostat:4::el9", "package": "cryostat/cryostat-rhel9-operator:4.0.0-7", "product_name": "Cryostat 4 on RHEL 9", "release_date": "2025-03-19T00:00:00Z"}, {"advisory": "RHSA-2025:3018", "cpe": "cpe:/a:redhat:cryostat:4::el9", "package": "cryostat/cryostat-storage-rhel9:4.0.0-7", "product_name": "Cryostat 4 on RHEL 9", "release_date": "2025-03-19T00:00:00Z"}, {"advisory": "RHSA-2025:3018", "cpe": "cpe:/a:redhat:cryostat:4::el9", "package": "cryostat/jfr-datasource-rhel9:4.0.0-7", "product_name": "Cryostat 4 on RHEL 9", "release_date": "2025-03-19T00:00:00Z"}, {"advisory": "RHSA-2025:8761", "cpe": "cpe:/a:redhat:apache_camel_hawtio:4.2::el6", "package": "io.quarkus.http/quarkus-http-core", "product_name": "HawtIO HawtIO 4.2.0", "release_date": "2025-06-10T00:00:00Z"}, {"advisory": "RHSA-2025:0900", "cpe": "cpe:/a:redhat:quarkus:3.15::el8", "package": "io.quarkus.http/quarkus-http-core", "product_name": "Red Hat build of Quarkus 3.15.3", "release_date": "2025-02-05T00:00:00Z"}], "bugzilla": {"description": "io.quarkus.http/quarkus-http-core: Quarkus HTTP Cookie Smuggling", "id": "2331298", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2331298"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.4", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "status": "verified"}, "cwe": "CWE-444", "details": ["A flaw was found in Quarkus-HTTP, which incorrectly parses cookies with\ncertain value-delimiting characters in incoming requests. This issue could\nallow an attacker to construct a cookie value to exfiltrate HttpOnly cookie\nvalues or spoof arbitrary additional cookie values, leading to unauthorized\ndata access or modification. The main threat from this flaw impacts data\nconfidentiality and integrity.", "A flaw was found in Quarkus-HTTP, which incorrectly parses cookies with\ncertain value-delimiting characters in incoming requests. This issue could\nallow an attacker to construct a cookie value to exfiltrate HttpOnly cookie\nvalues or spoof arbitrary additional cookie values, leading to unauthorized\ndata access or modification. The main threat from this flaw impacts data\nconfidentiality and integrity."], "mitigation": {"lang": "en:us", "value": "Currently, no mitigation is available for this vulnerability."}, "name": "CVE-2024-12397", "package_state": [{"cpe": "cpe:/a:redhat:cryostat:3", "fix_state": "Affected", "package_name": "io.quarkus.http/quarkus-http-core", "product_name": "Cryostat 3"}, {"cpe": "cpe:/a:redhat:camel_quarkus:3", "fix_state": "Affected", "package_name": "com.redhat.quarkus.platform/quarkus-camel-bom", "product_name": "Red Hat build of Apache Camel 4 for Quarkus 3"}, {"cpe": "cpe:/a:redhat:camel_quarkus:3", "fix_state": "Affected", "package_name": "com.redhat.quarkus.platform/quarkus-cxf-bom", "product_name": "Red Hat build of Apache Camel 4 for Quarkus 3"}, {"cpe": "cpe:/a:redhat:rhboac_hawtio:4", "fix_state": "Affected", "package_name": "io.quarkus.http/quarkus-http-core", "product_name": "Red Hat build of Apache Camel - HawtIO 4"}, {"cpe": "cpe:/a:redhat:service_registry:2", "fix_state": "Affected", "package_name": "io.quarkus.http/quarkus-http-core", "product_name": "Red Hat build of Apicurio Registry 2"}, {"cpe": "cpe:/a:redhat:build_keycloak:", "fix_state": "Affected", "package_name": "io.quarkus.http/quarkus-http-core", "product_name": "Red Hat Build of Keycloak"}, {"cpe": "cpe:/a:redhat:optaplanner:::el6", "fix_state": "Will not fix", "package_name": "io.quarkus.http/quarkus-http-core", "product_name": "Red Hat build of OptaPlanner 8"}, {"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Out of support scope", "package_name": "io.quarkus.http/quarkus-http-core", "product_name": "Red Hat Fuse 7"}, {"cpe": "cpe:/a:redhat:integration:1", "fix_state": "Affected", "package_name": "io.quarkus.http/quarkus-http-core", "product_name": "Red Hat Integration Camel K 1"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8", "fix_state": "Not affected", "package_name": "io.quarkus.http/quarkus-http-core", "product_name": "Red Hat JBoss Enterprise Application Platform 8"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Not affected", "package_name": "io.quarkus.http/quarkus-http-core", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_bpms_platform:7", "fix_state": "Affected", "package_name": "io.quarkus.http/quarkus-http-core", "product_name": "Red Hat Process Automation 7"}, {"cpe": "cpe:/a:redhat:amq_streams:1", "fix_state": "Affected", "package_name": "io.quarkus.http/quarkus-http-core", "product_name": "streams for Apache Kafka"}], "public_date": "2024-12-10T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-12397\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-12397"], "statement": "Red Hat has evaluated this vulnerability. This is a very similar vulnerability to an Undertow, seen in CVE-2023-4639.\nWithin regulated environments, a combination of the following controls acts as a significant barrier to successfully exploiting a CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') vulnerability and therefore downgrades the severity of this particular CVE from Moderate to Low.\nThe platform uses secure, encrypted HTTPS connections over TLS 1.2 to reduce the risk of smuggling attacks by preventing the injection of ambiguous or malformed requests between components. The environment employs IPS/IDS and antimalware solutions to detect and block malicious code while ensuring consistent interpretation of HTTP requests across network layers, mitigating request/response inconsistencies. Event logs are collected and analyzed for centralization, correlation, monitoring, alerting, and retention, enabling the detection of malformed or suspicious HTTP traffic. Static code analysis and peer reviews enforce strong input validation and error handling to ensure all user inputs adhere to HTTP protocol specifications.", "threat_severity": "Moderate"}