Описание
A flaw was found in Quarkus-HTTP, which incorrectly parses cookies with certain value-delimiting characters in incoming requests. This issue could allow an attacker to construct a cookie value to exfiltrate HttpOnly cookie values or spoof arbitrary additional cookie values, leading to unauthorized data access or modification. The main threat from this flaw impacts data confidentiality and integrity.
Отчет
Red Hat has evaluated this vulnerability. This is a very similar vulnerability to an Undertow, seen in CVE-2023-4639. Within regulated environments, a combination of the following controls acts as a significant barrier to successfully exploiting a CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') vulnerability and therefore downgrades the severity of this particular CVE from Moderate to Low. The platform uses secure, encrypted HTTPS connections over TLS 1.2 to reduce the risk of smuggling attacks by preventing the injection of ambiguous or malformed requests between components. The environment employs IPS/IDS and antimalware solutions to detect and block malicious code while ensuring consistent interpretation of HTTP requests across network layers, mitigating request/response inconsistencies. Event logs are collected and analyzed for centralization, correlation, monitoring, alerting, and retention, enabling the detection of malformed or suspicious HTTP traffic. Static code analysis and peer reviews enforce strong input validation and error handling to ensure all user inputs adhere to HTTP protocol specifications.
Меры по смягчению последствий
Currently, no mitigation is available for this vulnerability.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Cryostat 3 | io.quarkus.http/quarkus-http-core | Affected | ||
| Red Hat build of Apache Camel 4 for Quarkus 3 | com.redhat.quarkus.platform/quarkus-camel-bom | Affected | ||
| Red Hat build of Apache Camel 4 for Quarkus 3 | com.redhat.quarkus.platform/quarkus-cxf-bom | Affected | ||
| Red Hat build of Apicurio Registry 2 | io.quarkus.http/quarkus-http-core | Affected | ||
| Red Hat Build of Keycloak | io.quarkus.http/quarkus-http-core | Affected | ||
| Red Hat build of OptaPlanner 8 | io.quarkus.http/quarkus-http-core | Will not fix | ||
| Red Hat Fuse 7 | io.quarkus.http/quarkus-http-core | Out of support scope | ||
| Red Hat Integration Camel K 1 | io.quarkus.http/quarkus-http-core | Affected | ||
| Red Hat JBoss Enterprise Application Platform 8 | io.quarkus.http/quarkus-http-core | Not affected | ||
| Red Hat JBoss Enterprise Application Platform Expansion Pack | io.quarkus.http/quarkus-http-core | Not affected |
Показывать по
Дополнительная информация
Статус:
EPSS
7.4 High
CVSS3
Связанные уязвимости
A flaw was found in Quarkus-HTTP, which incorrectly parses cookies with certain value-delimiting characters in incoming requests. This issue could allow an attacker to construct a cookie value to exfiltrate HttpOnly cookie values or spoof arbitrary additional cookie values, leading to unauthorized data access or modification. The main threat from this flaw impacts data confidentiality and integrity.
io.quarkus.http/quarkus-http-core: Quarkus HTTP Cookie Smuggling
EPSS
7.4 High
CVSS3