CVE-2023-4639HTTP Request Smuggling in Redhat Undertow

CWE-444HTTP Request Smuggling7 documents6 sources
Severity
7.4HIGHNVD
EPSS
7.4%
top 8.27%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Redhat Undertow
Timeline
PublishedNov 17

Description

A flaw was found in Undertow, which incorrectly parses cookies with certain value-delimiting characters in incoming requests. This issue could allow an attacker to construct a cookie value to exfiltrate HttpOnly cookie values or spoof arbitrary additional cookie values, leading to unauthorized data access or modification. The main threat from this flaw impacts data confidentiality and integrity.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:NExploitability: 2.2 | Impact: 5.2

Affected Packages1 packages

Debianredhat/undertow< 2.3.18-1

🔴Vulnerability Details

4
CVEList
Undertow: cookie smuggling/spoofing2024-11-17
GHSA
Undertow incorrectly parses cookies2024-11-17
OSV
CVE-2023-4639: A flaw was found in Undertow, which incorrectly parses cookies with certain value-delimiting characters in incoming requests2024-11-17
OSV
Undertow incorrectly parses cookies2024-11-17

📋Vendor Advisories

2
Red Hat
undertow: Cookie Smuggling/Spoofing2024-02-08
Debian
CVE-2023-4639: undertow - A flaw was found in Undertow, which incorrectly parses cookies with certain valu...2023
CVE-2023-4639 — HTTP Request Smuggling in Redhat | cvebase