csaf_certbund - wid-sec-w-2025-0285

WID-SEC-W-2025-0285

Vulnerability from csaf_certbund - Published: 2025-02-05 23:00 - Updated: 2025-06-09 22:00

Summary

Red Hat Enterprise Linux (Quarkus und Netty): Mehrere Schwachstellen

Notes

Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.

Produktbeschreibung

Red Hat Enterprise Linux (RHEL) ist eine populäre Linux-Distribution.

Angriff

Ein anonymer oder lokaler Angreifer kann mehrere Schwachstellen in Red Hat Enterprise Linux ausnutzen, um Dateien zu manipulieren, vertrauliche Informationen preiszugeben und einen Denial-of-Service-Zustand zu verursachen.

Betroffene Betriebssysteme

- UNIX

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "text": "mittel"
    },
    "category": "csaf_base",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "de-DE",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
      },
      {
        "category": "description",
        "text": "Red Hat Enterprise Linux (RHEL) ist eine popul\u00e4re Linux-Distribution.",
        "title": "Produktbeschreibung"
      },
      {
        "category": "summary",
        "text": "Ein anonymer oder lokaler Angreifer kann mehrere Schwachstellen in Red Hat Enterprise Linux ausnutzen, um Dateien zu manipulieren, vertrauliche Informationen preiszugeben und einen Denial-of-Service-Zustand zu verursachen.",
        "title": "Angriff"
      },
      {
        "category": "general",
        "text": "- UNIX",
        "title": "Betroffene Betriebssysteme"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "csaf-provider@cert-bund.de",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "WID-SEC-W-2025-0285 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2025/wid-sec-w-2025-0285.json"
      },
      {
        "category": "self",
        "summary": "WID-SEC-2025-0285 - Portal Version",
        "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2025-0285"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory vom 2025-02-05",
        "url": "https://access.redhat.com/errata/RHSA-2025:0900"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory vom 2025-02-05",
        "url": "https://access.redhat.com/errata/RHSA-2025:1082"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2025:2416 vom 2025-03-05",
        "url": "https://access.redhat.com/errata/RHSA-2025:2416"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2025:3018 vom 2025-03-19",
        "url": "https://access.redhat.com/errata/RHSA-2025:3018"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2025:3358 vom 2025-03-27",
        "url": "https://access.redhat.com/errata/RHSA-2025:3358"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2025:3357 vom 2025-03-27",
        "url": "https://access.redhat.com/errata/RHSA-2025:3357"
      },
      {
        "category": "external",
        "summary": "IBM Security Bulletin 7185400 vom 2025-03-29",
        "url": "https://www.ibm.com/support/pages/node/7185400"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2025:3465 vom 2025-04-01",
        "url": "https://access.redhat.com/errata/RHSA-2025:3465"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2025:3467 vom 2025-04-01",
        "url": "https://access.redhat.com/errata/RHSA-2025:3467"
      },
      {
        "category": "external",
        "summary": "IBM Security Bulletin 7229901 vom 2025-04-02",
        "url": "https://www.ibm.com/support/pages/node/7229901"
      },
      {
        "category": "external",
        "summary": "IBM Security Bulletin 7231033 vom 2025-04-16",
        "url": "https://www.ibm.com/support/pages/node/7231033"
      },
      {
        "category": "external",
        "summary": "IBM Security Bulletin 7231945 vom 2025-04-28",
        "url": "https://www.ibm.com/support/pages/node/7231945"
      },
      {
        "category": "external",
        "summary": "IBM Security Bulletin 7232032 vom 2025-04-29",
        "url": "https://www.ibm.com/support/pages/node/7232032"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2025:4548 vom 2025-05-06",
        "url": "https://access.redhat.com/errata/RHSA-2025:4548"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2025:4552 vom 2025-05-06",
        "url": "https://access.redhat.com/errata/RHSA-2025:4552"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2025:4550 vom 2025-05-06",
        "url": "https://access.redhat.com/errata/RHSA-2025:4550"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2025:4549 vom 2025-05-06",
        "url": "https://access.redhat.com/errata/RHSA-2025:4549"
      },
      {
        "category": "external",
        "summary": "IBM Security Bulletin",
        "url": "https://www.ibm.com/support/pages/node/7234827"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2025:8761 vom 2025-06-10",
        "url": "https://access.redhat.com/errata/RHSA-2025:8761"
      }
    ],
    "source_lang": "en-US",
    "title": "Red Hat Enterprise Linux (Quarkus und Netty): Mehrere Schwachstellen",
    "tracking": {
      "current_release_date": "2025-06-09T22:00:00.000+00:00",
      "generator": {
        "date": "2025-06-10T11:09:18.185+00:00",
        "engine": {
          "name": "BSI-WID",
          "version": "1.3.12"
        }
      },
      "id": "WID-SEC-W-2025-0285",
      "initial_release_date": "2025-02-05T23:00:00.000+00:00",
      "revision_history": [
        {
          "date": "2025-02-05T23:00:00.000+00:00",
          "number": "1",
          "summary": "Initiale Fassung"
        },
        {
          "date": "2025-03-05T23:00:00.000+00:00",
          "number": "2",
          "summary": "Neue Updates von Red Hat aufgenommen"
        },
        {
          "date": "2025-03-19T23:00:00.000+00:00",
          "number": "3",
          "summary": "Neue Updates von Red Hat aufgenommen"
        },
        {
          "date": "2025-03-27T23:00:00.000+00:00",
          "number": "4",
          "summary": "Neue Updates von Red Hat aufgenommen"
        },
        {
          "date": "2025-03-30T22:00:00.000+00:00",
          "number": "5",
          "summary": "Neue Updates von IBM aufgenommen"
        },
        {
          "date": "2025-04-01T22:00:00.000+00:00",
          "number": "6",
          "summary": "Neue Updates von Red Hat aufgenommen"
        },
        {
          "date": "2025-04-02T22:00:00.000+00:00",
          "number": "7",
          "summary": "Neue Updates von IBM aufgenommen"
        },
        {
          "date": "2025-04-15T22:00:00.000+00:00",
          "number": "8",
          "summary": "Neue Updates von IBM aufgenommen"
        },
        {
          "date": "2025-04-27T22:00:00.000+00:00",
          "number": "9",
          "summary": "Neue Updates von IBM aufgenommen"
        },
        {
          "date": "2025-04-28T22:00:00.000+00:00",
          "number": "10",
          "summary": "Neue Updates von IBM aufgenommen"
        },
        {
          "date": "2025-05-06T22:00:00.000+00:00",
          "number": "11",
          "summary": "Neue Updates von Red Hat aufgenommen"
        },
        {
          "date": "2025-05-27T22:00:00.000+00:00",
          "number": "12",
          "summary": "Neue Updates von IBM aufgenommen"
        },
        {
          "date": "2025-06-09T22:00:00.000+00:00",
          "number": "13",
          "summary": "Neue Updates von Red Hat aufgenommen"
        }
      ],
      "status": "final",
      "version": "13"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "11.7",
                "product": {
                  "name": "IBM InfoSphere Information Server 11.7",
                  "product_id": "444803",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:ibm:infosphere_information_server:11.7"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "InfoSphere Information Server"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003cV8.11.0.1 Interim fix 042",
                "product": {
                  "name": "IBM Operational Decision Manager \u003cV8.11.0.1 Interim fix 042",
                  "product_id": "T043174"
                }
              },
              {
                "category": "product_version",
                "name": "V8.11.0.1 Interim fix 042",
                "product": {
                  "name": "IBM Operational Decision Manager V8.11.0.1 Interim fix 042",
                  "product_id": "T043174-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:ibm:operational_decision_manager:v8.11.0.1_interim_fix_042"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003cV8.11.1.0: Interim fix 039",
                "product": {
                  "name": "IBM Operational Decision Manager \u003cV8.11.1.0: Interim fix 039",
                  "product_id": "T043175"
                }
              },
              {
                "category": "product_version",
                "name": "V8.11.1.0: Interim fix 039",
                "product": {
                  "name": "IBM Operational Decision Manager V8.11.1.0: Interim fix 039",
                  "product_id": "T043175-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:ibm:operational_decision_manager:v8.11.1.0_interim_fix_039"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003cV8.12.0.1: Interim fix 024",
                "product": {
                  "name": "IBM Operational Decision Manager \u003cV8.12.0.1: Interim fix 024",
                  "product_id": "T043176"
                }
              },
              {
                "category": "product_version",
                "name": "V8.12.0.1: Interim fix 024",
                "product": {
                  "name": "IBM Operational Decision Manager V8.12.0.1: Interim fix 024",
                  "product_id": "T043176-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:ibm:operational_decision_manager:v8.12.0.1_interim_fix_024"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003cV9.0.0.1: Interim fix 007",
                "product": {
                  "name": "IBM Operational Decision Manager \u003cV9.0.0.1: Interim fix 007",
                  "product_id": "T043177"
                }
              },
              {
                "category": "product_version",
                "name": "V9.0.0.1: Interim fix 007",
                "product": {
                  "name": "IBM Operational Decision Manager V9.0.0.1: Interim fix 007",
                  "product_id": "T043177-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:ibm:operational_decision_manager:v9.0.0.1_interim_fix_007"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "Operational Decision Manager"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "Analytic Server",
                "product": {
                  "name": "IBM SPSS Analytic Server",
                  "product_id": "T011789",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:ibm:spss:analytic_server"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "SPSS"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "12",
                "product": {
                  "name": "IBM Security Guardium 12",
                  "product_id": "T043916",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:ibm:security_guardium:sqlguard_12.0p35_bundle_jan-28-2025"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "Security Guardium"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c6.3.0.12",
                "product": {
                  "name": "IBM Sterling Connect:Direct \u003c6.3.0.12",
                  "product_id": "T042880"
                }
              },
              {
                "category": "product_version",
                "name": "6.3.0.12",
                "product": {
                  "name": "IBM Sterling Connect:Direct 6.3.0.12",
                  "product_id": "T042880-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:ibm:sterling_connect%3adirect:6.3.0.12"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c6.2.0.27",
                "product": {
                  "name": "IBM Sterling Connect:Direct \u003c6.2.0.27",
                  "product_id": "T042883"
                }
              },
              {
                "category": "product_version",
                "name": "6.2.0.27",
                "product": {
                  "name": "IBM Sterling Connect:Direct 6.2.0.27",
                  "product_id": "T042883-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:ibm:sterling_connect%3adirect:6.2.0.27"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "Sterling Connect:Direct"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "Multiplatforms",
                "product": {
                  "name": "IBM TXSeries Multiplatforms",
                  "product_id": "T036617",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:ibm:txseries:for_multiplatforms"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "TXSeries"
          }
        ],
        "category": "vendor",
        "name": "IBM"
      },
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Red Hat Enterprise Linux",
                "product": {
                  "name": "Red Hat Enterprise Linux",
                  "product_id": "67646",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:redhat:enterprise_linux:-"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "Quarkus \u003c3.15.3",
                "product": {
                  "name": "Red Hat Enterprise Linux Quarkus \u003c3.15.3",
                  "product_id": "T040876"
                }
              },
              {
                "category": "product_version",
                "name": "Quarkus 3.15.3",
                "product": {
                  "name": "Red Hat Enterprise Linux Quarkus 3.15.3",
                  "product_id": "T040876-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:redhat:enterprise_linux:quarkus__3.15.3"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "Apache Camel 4.8 for Quarkus \u003c3.15",
                "product": {
                  "name": "Red Hat Enterprise Linux Apache Camel 4.8 for Quarkus \u003c3.15",
                  "product_id": "T040877"
                }
              },
              {
                "category": "product_version",
                "name": "Apache Camel 4.8 for Quarkus 3.15",
                "product": {
                  "name": "Red Hat Enterprise Linux Apache Camel 4.8 for Quarkus 3.15",
                  "product_id": "T040877-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:redhat:enterprise_linux:apache_camel_4.8_for_quarkus__3.15"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "Cryostat 4",
                "product": {
                  "name": "Red Hat Enterprise Linux Cryostat 4",
                  "product_id": "T042011",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:redhat:enterprise_linux:cryostat_4"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "Apache Camel 1",
                "product": {
                  "name": "Red Hat Enterprise Linux Apache Camel 1",
                  "product_id": "T044468",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:redhat:enterprise_linux:apache_camel_1"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "Enterprise Linux"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "Streams 2",
                "product": {
                  "name": "Red Hat JBoss A-MQ Streams 2",
                  "product_id": "T041596",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:jboss_amq:streams_2"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "JBoss A-MQ"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c7.4.21",
                "product": {
                  "name": "Red Hat JBoss Enterprise Application Platform \u003c7.4.21",
                  "product_id": "T042265"
                }
              },
              {
                "category": "product_version",
                "name": "7.4.21",
                "product": {
                  "name": "Red Hat JBoss Enterprise Application Platform 7.4.21",
                  "product_id": "T042265-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4.21"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "JBoss Enterprise Application Platform"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2024-12397",
      "product_status": {
        "known_affected": [
          "T011789",
          "T036617",
          "67646",
          "T040877",
          "T043916",
          "T042883",
          "T044468",
          "444803",
          "T040876",
          "T043174",
          "T043175",
          "T043176",
          "T041596",
          "T042011",
          "T042880",
          "T043177",
          "T042265"
        ]
      },
      "release_date": "2025-02-05T23:00:00.000+00:00",
      "title": "CVE-2024-12397"
    },
    {
      "cve": "CVE-2024-47535",
      "product_status": {
        "known_affected": [
          "T011789",
          "T036617",
          "67646",
          "T043916",
          "T042883",
          "T044468",
          "444803",
          "T040876",
          "T043174",
          "T043175",
          "T043176",
          "T041596",
          "T042011",
          "T042880",
          "T043177",
          "T042265"
        ]
      },
      "release_date": "2025-02-05T23:00:00.000+00:00",
      "title": "CVE-2024-47535"
    }
  ]
}

CVE-2024-47535 (GCVE-0-2024-47535)

Vulnerability from cvelistv5 – Published: 2024-11-12 15:50 – Updated: 2024-11-13 20:44

Summary

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. An unsafe reading of environment file could potentially cause a denial of service in Netty. When loaded on an Windows application, Netty attempts to load a file that does not exist. If an attacker creates such a large file, the Netty application crashes. This vulnerability is fixed in 4.1.115.

Severity ?

5.5 (Medium)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-400 - Uncontrolled Resource Consumption

Assigner

GitHub_M

References

URL

	Vendor	Product	Version
	netty	netty	Affected: < 4.1.115

CVE-2024-12397 (GCVE-0-2024-12397)

Vulnerability from cvelistv5 – Published: 2024-12-12 09:05 – Updated: 2025-11-11 16:11

Summary

A flaw was found in Quarkus-HTTP, which incorrectly parses cookies with certain value-delimiting characters in incoming requests. This issue could allow an attacker to construct a cookie value to exfiltrate HttpOnly cookie values or spoof arbitrary additional cookie values, leading to unauthorized data access or modification. The main threat from this flaw impacts data confidentiality and integrity.

Severity ?

7.4 (High)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

CWE

CWE-444 - Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')

Assigner

redhat

References

URL

Tags

	https://access.redhat.com/errata/RHSA-2025:0900	vendor-advisoryx_refsource_REDHAT
	https://access.redhat.com/errata/RHSA-2025:3018	vendor-advisoryx_refsource_REDHAT
	https://access.redhat.com/errata/RHSA-2025:8761	vendor-advisoryx_refsource_REDHAT
	https://access.redhat.com/security/cve/CVE-2024-12397	vdb-entryx_refsource_REDHAT
	https://bugzilla.redhat.com/show_bug.cgi?id=2331298	issue-trackingx_refsource_REDHAT

Impacted products

Vendor

Product

Version

Affected: 0 , < 5.3.4 (semver)

Red Hat	Cryostat 4 on RHEL 9	Unaffected: 0.5.0-6 , < * (rpm) cpe:/a:redhat:cryostat:4::el9
Red Hat	Cryostat 4 on RHEL 9	Unaffected: 4.0.0-7 , < * (rpm) cpe:/a:redhat:cryostat:4::el9
Red Hat	Cryostat 4 on RHEL 9	Unaffected: 4.0.0-7 , < * (rpm) cpe:/a:redhat:cryostat:4::el9
Red Hat	Cryostat 4 on RHEL 9	Unaffected: 4.0.0-7 , < * (rpm) cpe:/a:redhat:cryostat:4::el9
Red Hat	Cryostat 4 on RHEL 9	Unaffected: 4.0.0-7 , < * (rpm) cpe:/a:redhat:cryostat:4::el9
Red Hat	Cryostat 4 on RHEL 9	Unaffected: 4.0.0-7 , < * (rpm) cpe:/a:redhat:cryostat:4::el9
Red Hat	Cryostat 4 on RHEL 9	Unaffected: 4.0.0-7 , < * (rpm) cpe:/a:redhat:cryostat:4::el9
Red Hat	Cryostat 4 on RHEL 9	Unaffected: 4.0.0-7 , < * (rpm) cpe:/a:redhat:cryostat:4::el9
Red Hat	Cryostat 4 on RHEL 9	Unaffected: 4.0.0-7 , < * (rpm) cpe:/a:redhat:cryostat:4::el9
Red Hat	Cryostat 4 on RHEL 9	Unaffected: 4.0.0-7 , < * (rpm) cpe:/a:redhat:cryostat:4::el9
Red Hat	Cryostat 4 on RHEL 9	Unaffected: 4.0.0-7 , < * (rpm) cpe:/a:redhat:cryostat:4::el9
Red Hat	HawtIO HawtIO 4.2.0	cpe:/a:redhat:apache_camel_hawtio:4.2::el6
Red Hat	Red Hat build of Quarkus 3.15.3	cpe:/a:redhat:quarkus:3.15::el8
Red Hat	Cryostat 3	cpe:/a:redhat:cryostat:3
Red Hat	Red Hat build of Apache Camel 4 for Quarkus 3	cpe:/a:redhat:camel_quarkus:3
Red Hat	Red Hat build of Apache Camel 4 for Quarkus 3	cpe:/a:redhat:camel_quarkus:3
Red Hat	Red Hat build of Apicurio Registry 2	cpe:/a:redhat:service_registry:2
Red Hat	Red Hat Build of Keycloak	cpe:/a:redhat:build_keycloak:
Red Hat	Red Hat build of OptaPlanner 8	cpe:/a:redhat:optaplanner:::el6
Red Hat	Red Hat Fuse 7	cpe:/a:redhat:jboss_fuse:7
Red Hat	Red Hat Integration Camel K 1	cpe:/a:redhat:integration:1
Red Hat	Red Hat JBoss Enterprise Application Platform 8	cpe:/a:redhat:jboss_enterprise_application_platform:8
Red Hat	Red Hat JBoss Enterprise Application Platform Expansion Pack	cpe:/a:redhat:jbosseapxp
Red Hat	Red Hat Process Automation 7	cpe:/a:redhat:jboss_enterprise_bpms_platform:7
Red Hat	streams for Apache Kafka	cpe:/a:redhat:amq_streams:1

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-12397",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-12-12T15:31:47.316503Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-12-12T15:45:08.143Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://github.com/quarkusio/quarkus-http",
          "defaultStatus": "unaffected",
          "packageName": "quarkus-http",
          "versions": [
            {
              "lessThan": "5.3.4",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:cryostat:4::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "cryostat/cryostat-agent-init-rhel9",
          "product": "Cryostat 4 on RHEL 9",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0.5.0-6",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:cryostat:4::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "cryostat/cryostat-db-rhel9",
          "product": "Cryostat 4 on RHEL 9",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "4.0.0-7",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:cryostat:4::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "cryostat/cryostat-grafana-dashboard-rhel9",
          "product": "Cryostat 4 on RHEL 9",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "4.0.0-7",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:cryostat:4::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "cryostat/cryostat-openshift-console-plugin-rhel9",
          "product": "Cryostat 4 on RHEL 9",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "4.0.0-7",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:cryostat:4::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "cryostat/cryostat-operator-bundle",
          "product": "Cryostat 4 on RHEL 9",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "4.0.0-7",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:cryostat:4::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "cryostat/cryostat-ose-oauth-proxy-rhel9",
          "product": "Cryostat 4 on RHEL 9",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "4.0.0-7",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:cryostat:4::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "cryostat/cryostat-reports-rhel9",
          "product": "Cryostat 4 on RHEL 9",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "4.0.0-7",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:cryostat:4::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "cryostat/cryostat-rhel9",
          "product": "Cryostat 4 on RHEL 9",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "4.0.0-7",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:cryostat:4::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "cryostat/cryostat-rhel9-operator",
          "product": "Cryostat 4 on RHEL 9",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "4.0.0-7",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:cryostat:4::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "cryostat/cryostat-storage-rhel9",
          "product": "Cryostat 4 on RHEL 9",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "4.0.0-7",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:cryostat:4::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "cryostat/jfr-datasource-rhel9",
          "product": "Cryostat 4 on RHEL 9",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "4.0.0-7",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:apache_camel_hawtio:4.2::el6"
          ],
          "defaultStatus": "unaffected",
          "packageName": "io.quarkus.http/quarkus-http-core",
          "product": "HawtIO HawtIO 4.2.0",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html",
          "cpes": [
            "cpe:/a:redhat:quarkus:3.15::el8"
          ],
          "defaultStatus": "unaffected",
          "packageName": "io.quarkus.http/quarkus-http-core",
          "product": "Red Hat build of Quarkus 3.15.3",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:cryostat:3"
          ],
          "defaultStatus": "affected",
          "packageName": "io.quarkus.http/quarkus-http-core",
          "product": "Cryostat 3",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:camel_quarkus:3"
          ],
          "defaultStatus": "affected",
          "packageName": "com.redhat.quarkus.platform/quarkus-camel-bom",
          "product": "Red Hat build of Apache Camel 4 for Quarkus 3",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:camel_quarkus:3"
          ],
          "defaultStatus": "affected",
          "packageName": "com.redhat.quarkus.platform/quarkus-cxf-bom",
          "product": "Red Hat build of Apache Camel 4 for Quarkus 3",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:service_registry:2"
          ],
          "defaultStatus": "affected",
          "packageName": "io.quarkus.http/quarkus-http-core",
          "product": "Red Hat build of Apicurio Registry 2",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:build_keycloak:"
          ],
          "defaultStatus": "affected",
          "packageName": "io.quarkus.http/quarkus-http-core",
          "product": "Red Hat Build of Keycloak",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:optaplanner:::el6"
          ],
          "defaultStatus": "affected",
          "packageName": "io.quarkus.http/quarkus-http-core",
          "product": "Red Hat build of OptaPlanner 8",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:jboss_fuse:7"
          ],
          "defaultStatus": "unknown",
          "packageName": "io.quarkus.http/quarkus-http-core",
          "product": "Red Hat Fuse 7",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:integration:1"
          ],
          "defaultStatus": "affected",
          "packageName": "io.quarkus.http/quarkus-http-core",
          "product": "Red Hat Integration Camel K 1",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html",
          "cpes": [
            "cpe:/a:redhat:jboss_enterprise_application_platform:8"
          ],
          "defaultStatus": "unaffected",
          "packageName": "io.quarkus.http/quarkus-http-core",
          "product": "Red Hat JBoss Enterprise Application Platform 8",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html",
          "cpes": [
            "cpe:/a:redhat:jbosseapxp"
          ],
          "defaultStatus": "unaffected",
          "packageName": "io.quarkus.http/quarkus-http-core",
          "product": "Red Hat JBoss Enterprise Application Platform Expansion Pack",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:jboss_enterprise_bpms_platform:7"
          ],
          "defaultStatus": "affected",
          "packageName": "io.quarkus.http/quarkus-http-core",
          "product": "Red Hat Process Automation 7",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:amq_streams:1"
          ],
          "defaultStatus": "affected",
          "packageName": "io.quarkus.http/quarkus-http-core",
          "product": "streams for Apache Kafka",
          "vendor": "Red Hat"
        }
      ],
      "datePublic": "2024-12-10T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "A flaw was found in Quarkus-HTTP, which incorrectly parses cookies with\ncertain value-delimiting characters in incoming requests. This issue could\nallow an attacker to construct a cookie value to exfiltrate HttpOnly cookie\nvalues or spoof arbitrary additional cookie values, leading to unauthorized\ndata access or modification. The main threat from this flaw impacts data\nconfidentiality and integrity."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "namespace": "https://access.redhat.com/security/updates/classification/",
              "value": "Moderate"
            },
            "type": "Red Hat severity rating"
          }
        },
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.4,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
            "version": "3.1"
          },
          "format": "CVSS"
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-444",
              "description": "Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-11-11T16:11:24.359Z",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "name": "RHSA-2025:0900",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2025:0900"
        },
        {
          "name": "RHSA-2025:3018",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2025:3018"
        },
        {
          "name": "RHSA-2025:8761",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2025:8761"
        },
        {
          "tags": [
            "vdb-entry",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/security/cve/CVE-2024-12397"
        },
        {
          "name": "RHBZ#2331298",
          "tags": [
            "issue-tracking",
            "x_refsource_REDHAT"
          ],
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2331298"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2024-12-10T01:15:33.380000+00:00",
          "value": "Reported to Red Hat."
        },
        {
          "lang": "en",
          "time": "2024-12-10T00:00:00+00:00",
          "value": "Made public."
        }
      ],
      "title": "Io.quarkus.http/quarkus-http-core: quarkus http cookie smuggling",
      "workarounds": [
        {
          "lang": "en",
          "value": "Currently, no mitigation is available for this vulnerability."
        }
      ],
      "x_redhatCweChain": "CWE-444: Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2024-12397",
    "datePublished": "2024-12-12T09:05:28.451Z",
    "dateReserved": "2024-12-10T01:22:12.303Z",
    "dateUpdated": "2025-11-11T16:11:24.359Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

WID-SEC-W-2025-0285

CVE-2024-47535 (GCVE-0-2024-47535)

CVE-2024-12397 (GCVE-0-2024-12397)

Tags

Sightings

Nomenclature