{
  "threat_severity" : "Moderate",
  "public_date" : "2024-12-10T00:00:00Z",
  "bugzilla" : {
    "description" : "io.quarkus.http/quarkus-http-core: Quarkus HTTP Cookie Smuggling",
    "id" : "2331298",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2331298"
  },
  "cvss3" : {
    "cvss3_base_score" : "7.4",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
    "status" : "verified"
  },
  "cwe" : "CWE-444",
  "details" : [ "A flaw was found in Quarkus-HTTP, which incorrectly parses cookies with\ncertain value-delimiting characters in incoming requests. This issue could\nallow an attacker to construct a cookie value to exfiltrate HttpOnly cookie\nvalues or spoof arbitrary additional cookie values, leading to unauthorized\ndata access or modification. The main threat from this flaw impacts data\nconfidentiality and integrity.", "A flaw was found in Quarkus-HTTP, which incorrectly parses cookies with\ncertain value-delimiting characters in incoming requests. This issue could\nallow an attacker to construct a cookie value to exfiltrate HttpOnly cookie\nvalues or spoof arbitrary additional cookie values, leading to unauthorized\ndata access or modification. The main threat from this flaw impacts data\nconfidentiality and integrity." ],
  "statement" : "Red Hat has evaluated this vulnerability. This is a very similar vulnerability to an Undertow, seen in CVE-2023-4639.",
  "affected_release" : [ {
    "product_name" : "Cryostat 4 on RHEL 9",
    "release_date" : "2025-03-19T00:00:00Z",
    "advisory" : "RHSA-2025:3018",
    "cpe" : "cpe:/a:redhat:cryostat:4::el9",
    "package" : "cryostat/cryostat-agent-init-rhel9:0.5.0-6"
  }, {
    "product_name" : "Cryostat 4 on RHEL 9",
    "release_date" : "2025-03-19T00:00:00Z",
    "advisory" : "RHSA-2025:3018",
    "cpe" : "cpe:/a:redhat:cryostat:4::el9",
    "package" : "cryostat/cryostat-db-rhel9:4.0.0-7"
  }, {
    "product_name" : "Cryostat 4 on RHEL 9",
    "release_date" : "2025-03-19T00:00:00Z",
    "advisory" : "RHSA-2025:3018",
    "cpe" : "cpe:/a:redhat:cryostat:4::el9",
    "package" : "cryostat/cryostat-grafana-dashboard-rhel9:4.0.0-7"
  }, {
    "product_name" : "Cryostat 4 on RHEL 9",
    "release_date" : "2025-03-19T00:00:00Z",
    "advisory" : "RHSA-2025:3018",
    "cpe" : "cpe:/a:redhat:cryostat:4::el9",
    "package" : "cryostat/cryostat-openshift-console-plugin-rhel9:4.0.0-7"
  }, {
    "product_name" : "Cryostat 4 on RHEL 9",
    "release_date" : "2025-03-19T00:00:00Z",
    "advisory" : "RHSA-2025:3018",
    "cpe" : "cpe:/a:redhat:cryostat:4::el9",
    "package" : "cryostat/cryostat-operator-bundle:4.0.0-7"
  }, {
    "product_name" : "Cryostat 4 on RHEL 9",
    "release_date" : "2025-03-19T00:00:00Z",
    "advisory" : "RHSA-2025:3018",
    "cpe" : "cpe:/a:redhat:cryostat:4::el9",
    "package" : "cryostat/cryostat-ose-oauth-proxy-rhel9:4.0.0-7"
  }, {
    "product_name" : "Cryostat 4 on RHEL 9",
    "release_date" : "2025-03-19T00:00:00Z",
    "advisory" : "RHSA-2025:3018",
    "cpe" : "cpe:/a:redhat:cryostat:4::el9",
    "package" : "cryostat/cryostat-reports-rhel9:4.0.0-7"
  }, {
    "product_name" : "Cryostat 4 on RHEL 9",
    "release_date" : "2025-03-19T00:00:00Z",
    "advisory" : "RHSA-2025:3018",
    "cpe" : "cpe:/a:redhat:cryostat:4::el9",
    "package" : "cryostat/cryostat-rhel9:4.0.0-7"
  }, {
    "product_name" : "Cryostat 4 on RHEL 9",
    "release_date" : "2025-03-19T00:00:00Z",
    "advisory" : "RHSA-2025:3018",
    "cpe" : "cpe:/a:redhat:cryostat:4::el9",
    "package" : "cryostat/cryostat-rhel9-operator:4.0.0-7"
  }, {
    "product_name" : "Cryostat 4 on RHEL 9",
    "release_date" : "2025-03-19T00:00:00Z",
    "advisory" : "RHSA-2025:3018",
    "cpe" : "cpe:/a:redhat:cryostat:4::el9",
    "package" : "cryostat/cryostat-storage-rhel9:4.0.0-7"
  }, {
    "product_name" : "Cryostat 4 on RHEL 9",
    "release_date" : "2025-03-19T00:00:00Z",
    "advisory" : "RHSA-2025:3018",
    "cpe" : "cpe:/a:redhat:cryostat:4::el9",
    "package" : "cryostat/jfr-datasource-rhel9:4.0.0-7"
  }, {
    "product_name" : "HawtIO HawtIO 4.2.0",
    "release_date" : "2025-06-10T00:00:00Z",
    "advisory" : "RHSA-2025:8761",
    "cpe" : "cpe:/a:redhat:apache_camel_hawtio:4.2::el6",
    "package" : "io.quarkus.http/quarkus-http-core"
  }, {
    "product_name" : "Red Hat build of Quarkus 3.15.3",
    "release_date" : "2025-02-05T00:00:00Z",
    "advisory" : "RHSA-2025:0900",
    "cpe" : "cpe:/a:redhat:quarkus:3.15::el8",
    "package" : "io.quarkus.http/quarkus-http-core"
  } ],
  "package_state" : [ {
    "product_name" : "Cryostat 3",
    "fix_state" : "Affected",
    "package_name" : "io.quarkus.http/quarkus-http-core",
    "cpe" : "cpe:/a:redhat:cryostat:3"
  }, {
    "product_name" : "Red Hat build of Apache Camel 4 for Quarkus 3",
    "fix_state" : "Affected",
    "package_name" : "com.redhat.quarkus.platform/quarkus-camel-bom",
    "cpe" : "cpe:/a:redhat:camel_quarkus:3"
  }, {
    "product_name" : "Red Hat build of Apache Camel 4 for Quarkus 3",
    "fix_state" : "Affected",
    "package_name" : "com.redhat.quarkus.platform/quarkus-cxf-bom",
    "cpe" : "cpe:/a:redhat:camel_quarkus:3"
  }, {
    "product_name" : "Red Hat build of Apicurio Registry 2",
    "fix_state" : "Affected",
    "package_name" : "io.quarkus.http/quarkus-http-core",
    "cpe" : "cpe:/a:redhat:service_registry:2"
  }, {
    "product_name" : "Red Hat Build of Keycloak",
    "fix_state" : "Affected",
    "package_name" : "io.quarkus.http/quarkus-http-core",
    "cpe" : "cpe:/a:redhat:build_keycloak:"
  }, {
    "product_name" : "Red Hat build of OptaPlanner 8",
    "fix_state" : "Will not fix",
    "package_name" : "io.quarkus.http/quarkus-http-core",
    "cpe" : "cpe:/a:redhat:optaplanner:::el6"
  }, {
    "product_name" : "Red Hat Fuse 7",
    "fix_state" : "Out of support scope",
    "package_name" : "io.quarkus.http/quarkus-http-core",
    "cpe" : "cpe:/a:redhat:jboss_fuse:7"
  }, {
    "product_name" : "Red Hat Integration Camel K 1",
    "fix_state" : "Affected",
    "package_name" : "io.quarkus.http/quarkus-http-core",
    "cpe" : "cpe:/a:redhat:integration:1"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform 8",
    "fix_state" : "Not affected",
    "package_name" : "io.quarkus.http/quarkus-http-core",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:8"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform Expansion Pack",
    "fix_state" : "Not affected",
    "package_name" : "io.quarkus.http/quarkus-http-core",
    "cpe" : "cpe:/a:redhat:jbosseapxp"
  }, {
    "product_name" : "Red Hat Process Automation 7",
    "fix_state" : "Affected",
    "package_name" : "io.quarkus.http/quarkus-http-core",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_bpms_platform:7"
  }, {
    "product_name" : "streams for Apache Kafka",
    "fix_state" : "Affected",
    "package_name" : "io.quarkus.http/quarkus-http-core",
    "cpe" : "cpe:/a:redhat:amq_streams:1"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2024-12397\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-12397" ],
  "name" : "CVE-2024-12397",
  "mitigation" : {
    "value" : "Currently, no mitigation is available for this vulnerability.",
    "lang" : "en:us"
  },
  "csaw" : false
}