CVE-2024-47764 — Injection in Cookie

CWE-74 — Injection7 documents6 sources

Severity

6.9MEDIUMNVD

EPSS

0.2%

top 57.33%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Jshttp Cookie Debian Node-cookie Cookie Project Cookie +6 more

Timeline

PublishedOct 4

Latest updateOct 8

Description

cookie is a basic HTTP cookie parser and serializer for HTTP servers. The cookie name could be used to set other fields of the cookie, resulting in an unexpected cookie value. A similar escape can be used for path and domain, which could be abused to alter other fields of the cookie. Upgrade to 0.7.0, which updates the validation for name, path, and domain.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Affected Packages9 packages

▶CVEListV5jshttp/cookie< 0.7.0

▶debiandebian/node-cookie< node-cookie 0.7.1+~0.6.0-1 (forky)

▶npmcookie_project/cookie< 0.7.0

▶msrcmsrc/cbl_mariner_2.0_arm

▶msrcmsrc/cbl_mariner_2.0_x64

🔴Vulnerability Details

OSV

cookie accepts cookie name, path, and domain with out of bounds characters↗2024-10-04

▶

GHSA

cookie accepts cookie name, path, and domain with out of bounds characters↗2024-10-04

▶

OSV

CVE-2024-47764: cookie is a basic HTTP cookie parser and serializer for HTTP servers↗2024-10-04

▶

📋Vendor Advisories

Microsoft

cookie accepts cookie name path and domain with out of bounds characters↗2024-10-08

▶

Red Hat

cookie: cookie accepts cookie name, path, and domain with out of bounds characters↗2024-10-04

▶

Debian

CVE-2024-47764: node-cookie - cookie is a basic HTTP cookie parser and serializer for HTTP servers. The cookie...↗2024

▶