CVE-2024-12397

Published: Dec 12, 2024

Modified: Jan 28, 2026

PUBLISHED

CVSS v3.1

7.4

HIGH

Description

A flaw was found in Quarkus-HTTP, which incorrectly parses cookies with certain value-delimiting characters in incoming requests. This issue could allow an attacker to construct a cookie value to exfiltrate HttpOnly cookie values or spoof arbitrary additional cookie values, leading to unauthorized data access or modification. The main threat from this flaw impacts data confidentiality and integrity.

Vendor	Product	Versions
Unknown	quarkus-http	affected `0 - < 5.3.4`
Red Hat	Cryostat 4 on RHEL 9	unaffected `0.5.0-6 - < *`
Red Hat	Cryostat 4 on RHEL 9	unaffected `4.0.0-7 - < *`
Red Hat	Cryostat 4 on RHEL 9	unaffected `4.0.0-7 - < *`
Red Hat	Cryostat 4 on RHEL 9	unaffected `4.0.0-7 - < *`
Red Hat	Cryostat 4 on RHEL 9	unaffected `4.0.0-7 - < *`
Red Hat	Cryostat 4 on RHEL 9	unaffected `4.0.0-7 - < *`
Red Hat	Cryostat 4 on RHEL 9	unaffected `4.0.0-7 - < *`
Red Hat	Cryostat 4 on RHEL 9	unaffected `4.0.0-7 - < *`
Red Hat	Cryostat 4 on RHEL 9	unaffected `4.0.0-7 - < *`
Red Hat	Cryostat 4 on RHEL 9	unaffected `4.0.0-7 - < *`
Red Hat	Cryostat 4 on RHEL 9	unaffected `4.0.0-7 - < *`
Red Hat	HawtIO HawtIO 4.2.0	All versions
Red Hat	Red Hat build of Quarkus 3.15.3	All versions
Red Hat	Cryostat 3	All versions
Red Hat	Red Hat build of Apache Camel 4 for Quarkus 3	All versions
Red Hat	Red Hat build of Apache Camel 4 for Quarkus 3	All versions
Red Hat	Red Hat build of Apicurio Registry 2	All versions
Red Hat	Red Hat Build of Keycloak	All versions
Red Hat	Red Hat build of OptaPlanner 8	All versions
Red Hat	Red Hat Fuse 7	All versions
Red Hat	Red Hat Integration Camel K 1	All versions
Red Hat	Red Hat JBoss Enterprise Application Platform 8	All versions
Red Hat	Red Hat JBoss Enterprise Application Platform Expansion Pack	All versions
Red Hat	Red Hat Process Automation 7	All versions
Red Hat	streams for Apache Kafka	All versions