CVE-2023-4639

EPSS 3.74%
Published 17.11.2024 11:15:05
Last modified 07.02.2025 17:15:29
Source secalert@redhat.com
Teams watchlist Login
Open Login

A flaw was found in Undertow, which incorrectly parses cookies with certain value-delimiting characters in incoming requests. This issue could allow an attacker to construct a cookie value to exfiltrate HttpOnly cookie values or spoof arbitrary additional cookie values, leading to unauthorized data access or modification. The main threat from this flaw impacts data confidentiality and integrity.

Affected products Warnungen 0 Metrics 2 CWE 1 References 13

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

This information is available to logged-in users.

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

VendorRed Hat

≫

Product Migration Toolkit for Runtimes 1 on RHEL 8

Default Statusaffected

Version < *

Version 1.2-23

Status unaffected

VendorRed Hat

≫

Product Migration Toolkit for Runtimes 1 on RHEL 8

Default Statusaffected

Version < *

Version 1.2-15

Status unaffected

VendorRed Hat

≫

Product Migration Toolkit for Runtimes 1 on RHEL 8

Default Statusaffected

Version < *

Version 1.2-16

Status unaffected

VendorRed Hat

≫

Product Migration Toolkit for Runtimes 1 on RHEL 8

Default Statusaffected

Version < *

Version 1.2-14

Status unaffected

VendorRed Hat

≫

Product Red Hat JBoss Enterprise Application Platform 7

Default Statusunaffected

VendorRed Hat

≫

Product Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8

Default Statusaffected

Version < *

Version 0:2.2.30-1.SP1_redhat_00001.1.el8eap

Status unaffected

VendorRed Hat

≫

Product Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9

Default Statusaffected

Version < *

Version 0:2.2.30-1.SP1_redhat_00001.1.el9eap

Status unaffected

VendorRed Hat

≫

Product Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7

Default Statusaffected

Version < *

Version 0:2.2.30-1.SP1_redhat_00001.1.el7eap

Status unaffected

VendorRed Hat

≫

Product Red Hat JBoss Enterprise Application Platform 8

Default Statusunaffected

VendorRed Hat

≫

Product Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8

Default Statusaffected

Version < *

Version 0:2.3.11-1.SP1_redhat_00001.1.el8eap

Status unaffected

VendorRed Hat

≫

Product Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9

Default Statusaffected

Version < *

Version 0:2.3.11-1.SP1_redhat_00001.1.el9eap

Status unaffected

VendorRed Hat

≫

Product Migration Toolkit for Applications 6

Default Statusaffected

VendorRed Hat

≫

Product Red Hat build of Apache Camel for Spring Boot 3

Default Statusunaffected

VendorRed Hat

≫

Product Red Hat build of Apicurio Registry

Default Statusunknown

VendorRed Hat

≫

Product Red Hat build of Quarkus

Default Statusunknown

VendorRed Hat

≫

Product Red Hat Data Grid 8

Default Statusunaffected

VendorRed Hat

≫

Product Red Hat Decision Manager 7

Default Statusunknown

VendorRed Hat

≫

Product Red Hat Fuse 7

Default Statusunknown

VendorRed Hat

≫

Product Red Hat Integration Camel K

Default Statusunaffected

VendorRed Hat

≫

Product Red Hat Integration Camel Quarkus

Default Statusunaffected

VendorRed Hat

≫

Product Red Hat Integration Change Data Capture

Default Statusunknown

VendorRed Hat

≫

Product Red Hat JBoss Data Grid 7

Default Statusunknown

VendorRed Hat

≫

Product Red Hat JBoss Enterprise Application Platform 6

Default Statusunknown

VendorRed Hat

≫

Product Red Hat JBoss Fuse 6

Default Statusunknown

VendorRed Hat

≫

Product Red Hat JBoss Fuse Service Works 6

Default Statusunknown

VendorRed Hat

≫

Product Red Hat Process Automation 7

Default Statusunknown

VendorRed Hat

≫

Product Red Hat Single Sign-On 7

Default Statusunknown

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	3.74%	0.875

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
secalert@redhat.com	7.4	2.2	5.2	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')

The product acts as an intermediary HTTP agent (such as a proxy or firewall) in the data flow between two entities such as a client and server, but it does not interpret malformed HTTP requests or responses in ways that are consistent with how the messages will be processed by those entities that are at the ultimate destination.

https://access.redhat.com/errata/RHSA-2024:1674

https://access.redhat.com/errata/RHSA-2024:1675

https://access.redhat.com/errata/RHSA-2024:1676

https://access.redhat.com/errata/RHSA-2024:1677

https://access.redhat.com/errata/RHSA-2024:2763

https://access.redhat.com/errata/RHSA-2024:2764

https://access.redhat.com/errata/RHSA-2024:3919

https://access.redhat.com/security/cve/CVE-2023-4639

https://bugzilla.redhat.com/show_bug.cgi?id=2166022

https://security.netapp.com/advisory/ntap-20250207-0001/

https://nvd.nist.gov/vuln/detail/CVE-2023-4639

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2023-4639

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2023-4639

EUVD