Home > Vulnerability Database > CVE-2024-12397

Mend.io Vulnerability Database

CVE-2024-12397

Good to know:

Date: December 12, 2024

A flaw was found in Quarkus-HTTP, which incorrectly parses cookies with certain value-delimiting characters in incoming requests. This issue could allow an attacker to construct a cookie value to exfiltrate HttpOnly cookie values or spoof arbitrary additional cookie values, leading to unauthorized data access or modification. The main threat from this flaw impacts data confidentiality and integrity.

Language: Java

Severity Score

7.4

Related Resources (11)

Url: https://access.redhat.com/errata/RHSA-2025:1082

Url: https://access.redhat.com/errata/RHSA-2025:0900

Url: https://github.com/quarkusio/quarkus-http

Url: https://access.redhat.com/errata/RHSA-2025:8761

Url: https://access.redhat.com/security/cve/CVE-2024-12397

Url: https://github.com/quarkusio/quarkus-http/pull/170

Url: https://access.redhat.com/errata/RHSA-2025:3018

Url: https://nvd.nist.gov/vuln/detail/CVE-2024-12397

Url: https://bugzilla.redhat.com/show_bug.cgi?id=2331298

Url: https://github.com/quarkusio/quarkus-http/commit/cfc99d80fce2e3a3dbf06972e648e79e925a7ae7

Url: https://www.mend.io/vulnerability-database/CVE-2024-12397

Severity Score

7.4

Weakness Type (CWE)

Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')

CWE-444

Top Fix

Upgrade Version

Upgrade to version io.quarkus.http:quarkus-http-core:5.3.4

Learn More

CVSS v3.1

Base Score:	7.4
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	HIGH
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2024-12397

Good to know:

Date: December 12, 2024

Language: Java

Severity Score

Related Resources (11)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?