CVE-2024-12397: 
Java vulnerability analysis and mitigation

A vulnerability (CVE-2024-12397) was discovered in Quarkus-HTTP, affecting the cookie parsing mechanism. The flaw was disclosed on December 12, 2024, impacting various Red Hat products including Red Hat build of Quarkus 3.15.3, Red Hat Build of Apache Camel 4.8, and several other Red Hat services. The vulnerability stems from incorrect parsing of cookies with certain value-delimiting characters in incoming requests (NVD, Red Hat CVE).

The vulnerability is classified as CWE-444 (Inconsistent Interpretation of HTTP Requests) with a CVSS v3.1 base score of 7.4 (HIGH). The attack vector is network-based (AV:N) with high attack complexity (AC:H), requiring no privileges (PR:N) or user interaction (UI:N). The scope is unchanged (S:U) with high impact on both confidentiality and integrity (C:H, I:H) but no impact on availability (A:N) (NVD).

The vulnerability allows attackers to construct malicious cookie values that can lead to two primary impacts: the exfiltration of HttpOnly cookie values and the ability to spoof arbitrary additional cookie values. This poses significant risks to data confidentiality and integrity, potentially leading to unauthorized data access or modification (Red Hat Bugzilla).

Red Hat has addressed this vulnerability by releasing security updates for affected products. Updates are available through RHSA-2025:0900 for Red Hat build of Quarkus 3.15.3 and RHSA-2025:1082 for Red Hat Build of Apache Camel 4.8 for Quarkus 3.15. Users are advised to apply these security updates to mitigate the vulnerability (Red Hat Advisory, Red Hat Camel).