Uploaded image for project: 'Red Hat build of Keycloak'
  1. Red Hat build of Keycloak
  2. RHBK-2782

CVE-2024-12397 - HTTP Request Smuggling in io.quarkus.http:quarkus-http-core [GHI#36195]

XMLWordPrintable

    • False
    • Hide

      None

      Show
      None
    • False
    • RHBK-2757 - Release Red Hat Build of KeyCloak

      CVE-2024-12397 - HTTP Request Smuggling in io.quarkus.http:quarkus-http-core
      io.quarkus.http:quarkus-http-core
      Introduced through: org.keycloak:keycloak-quarkus-server-deployment@999.0.0-SNAPSHOT › io.quarkus:quarkus-micrometer-deployment@3.15.1 › io.quarkus:quarkus-undertow-spi@3.15.1 › io.quarkus.http:quarkus-http-servlet@5.3.2 › io.quarkus.http:quarkus-http-core@5.3.2

      Overview

      Affected versions of this package are vulnerable to HTTP Request Smuggling due to the incorrect parsing of cookies with certain value-delimiting characters in incoming requests. An attacker can exfiltrate HttpOnly cookie values or spoof arbitrary additional cookie values, leading to unauthorized data access or modification.

      Remediation

      Upgrade io.quarkus.http:quarkus-http-core to version 5.3.4 or higher.

      References

              Unassigned Unassigned
              pvlha Pavel Vlha
              Keycloak Cloud Native
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated:
                Resolved: