CVE-2024-12397

HIGH Year: 2024
CVSS v3 Score
7.4
High
Weakness Type
CWE-444
View all →

Vulnerability Description

A flaw was found in Quarkus-HTTP, which incorrectly parses cookies with certain value-delimiting characters in incoming requests. This issue could allow an attacker to construct a cookie value to exfiltrate HttpOnly cookie values or spoof arbitrary additional cookie values, leading to unauthorized data access or modification. The main threat from this flaw impacts data confidentiality and integrity.

Related Vulnerabilities

CVE-2017-15643

HIGH
CVSS:7.4(High)

An active network attacker (MiTM) can achieve remote code execution on a machine that runs IKARUS Anti Virus 2.16.7. IKARUS AV for Windows uses cleartext HTTP for updates along with a CRC32 checksum a...

CWE-4442017

CVE-2020-8201

HIGH
CVSS:7.4(High)

Node.js < 12.18.4 and < 14.11 can be exploited to perform HTTP desync attacks and deliver malicious payloads to unsuspecting users. The payloads can be crafted by an attacker to hijack user sessions, ...

CWE-4442020

CVE-2023-4639

HIGH
CVSS:7.4(High)

A flaw was found in Undertow, which incorrectly parses cookies with certain value-delimiting characters in incoming requests. This issue could allow an attacker to construct a cookie value to exfiltra...

CWE-4442023

CVE-2017-12165

HIGH
CVSS:7.5(High)

It was discovered that Undertow before 1.4.17, 1.3.31 and 2.0.0 processes http request headers with unusual whitespaces which can cause possible http request smuggling.

CWE-4442017

CVE-2017-7656

HIGH
CVSS:7.5(High)

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), HTTP/0.9 is handled poorly. An HTTP/1 style request line ...

CWE-4442017

CVE-2019-1020012

HIGH
CVSS:7.5(High)

parse-server before 3.4.1 allows DoS after any POST to a volatile class.

CWE-4442019