Search

Find a vulnerability

Search criteria

    4 vulnerabilities found for Cryostat 4 on RHEL 9 by Red Hat

    CVE-2025-8415 (GCVE-0-2025-8415)

    Vulnerability from nvd – Published: 2025-08-20 16:14 – Updated: 2025-12-23 22:37
    VLAI
    Title
    Cryostat: authentication bypass if network policies are disabled
    Summary
    A vulnerability was found in the Cryostat HTTP API. Cryostat's HTTP API binds to all network interfaces, allowing possible external visibility and access to the API port if Network Policies are disabled, allowing an unauthenticated, malicious attacker to jeopardize the environment.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-289 - Authentication Bypass by Alternate Name
    Assigner
    Impacted products
    Vendor Product Version
    Cryostat Cryostat Affected: 0 , < 4.0.2 (semver)
    Create a notification for this product.
    Red Hat Cryostat 4 on RHEL 9 Unaffected: 0.5.2-3 , < * (rpm)
        cpe:/a:redhat:cryostat:4::el9
    Create a notification for this product.
    Red Hat Cryostat 4 on RHEL 9 Unaffected: 4.0.2-3 , < * (rpm)
        cpe:/a:redhat:cryostat:4::el9
    Create a notification for this product.
    Red Hat Cryostat 4     cpe:/a:redhat:cryostat:4
    Create a notification for this product.
    Date Public
    2025-08-20 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-8415",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-08-20T18:43:09.674363Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-08-20T18:43:17.330Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://github.com/cryostatio/cryostat",
              "defaultStatus": "unaffected",
              "packageName": "cryostat",
              "product": "Cryostat",
              "vendor": "Cryostat",
              "versions": [
                {
                  "lessThan": "4.0.2",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:cryostat:4::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "cryostat/cryostat-agent-init-rhel9",
              "product": "Cryostat 4 on RHEL 9",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "0.5.2-3",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:cryostat:4::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "cryostat/cryostat-db-rhel9",
              "product": "Cryostat 4 on RHEL 9",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "4.0.2-3",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:cryostat:4::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "cryostat/cryostat-grafana-dashboard-rhel9",
              "product": "Cryostat 4 on RHEL 9",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "4.0.2-3",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:cryostat:4::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "cryostat/cryostat-openshift-console-plugin-rhel9",
              "product": "Cryostat 4 on RHEL 9",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "4.0.2-3",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:cryostat:4::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "cryostat/cryostat-operator-bundle",
              "product": "Cryostat 4 on RHEL 9",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "4.0.2-3",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:cryostat:4::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "cryostat/cryostat-ose-oauth-proxy-rhel9",
              "product": "Cryostat 4 on RHEL 9",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "4.0.2-3",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:cryostat:4::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "cryostat/cryostat-reports-rhel9",
              "product": "Cryostat 4 on RHEL 9",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "4.0.2-3",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:cryostat:4::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "cryostat/cryostat-rhel9",
              "product": "Cryostat 4 on RHEL 9",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "4.0.2-3",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:cryostat:4::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "cryostat/cryostat-rhel9-operator",
              "product": "Cryostat 4 on RHEL 9",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "4.0.2-3",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:cryostat:4::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "cryostat/cryostat-storage-rhel9",
              "product": "Cryostat 4 on RHEL 9",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "4.0.2-3",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:cryostat:4::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "cryostat/jfr-datasource-rhel9",
              "product": "Cryostat 4 on RHEL 9",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "4.0.2-3",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:cryostat:4"
              ],
              "defaultStatus": "affected",
              "packageName": "cryostat",
              "product": "Cryostat 4",
              "vendor": "Red Hat"
            },
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:cryostat:4"
              ],
              "defaultStatus": "affected",
              "packageName": "cryostat/cryostat-rhel9",
              "product": "Cryostat 4",
              "vendor": "Red Hat"
            },
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:cryostat:4"
              ],
              "defaultStatus": "affected",
              "packageName": "cryostat/cryostat-rhel9-operator",
              "product": "Cryostat 4",
              "vendor": "Red Hat"
            }
          ],
          "datePublic": "2025-08-20T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "A vulnerability was found in the Cryostat HTTP API. Cryostat\u0027s HTTP API binds to all network interfaces, allowing possible external visibility and access to the API port if Network Policies are disabled, allowing an unauthenticated, malicious attacker to jeopardize the environment."
            }
          ],
          "metrics": [
            {
              "other": {
                "content": {
                  "namespace": "https://access.redhat.com/security/updates/classification/",
                  "value": "Moderate"
                },
                "type": "Red Hat severity rating"
              }
            },
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.9,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N",
                "version": "3.1"
              },
              "format": "CVSS"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-289",
                  "description": "Authentication Bypass by Alternate Name",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-12-23T22:37:35.912Z",
            "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
            "shortName": "redhat"
          },
          "references": [
            {
              "name": "RHSA-2025:14919",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2025:14919"
            },
            {
              "tags": [
                "vdb-entry",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/security/cve/CVE-2025-8415"
            },
            {
              "name": "RHBZ#2385773",
              "tags": [
                "issue-tracking",
                "x_refsource_REDHAT"
              ],
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2385773"
            },
            {
              "url": "https://github.com/cryostatio/cryostat/pull/1001"
            },
            {
              "url": "https://github.com/cryostatio/cryostat/releases/tag/v4.0.2"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2025-07-31T13:30:18.157Z",
              "value": "Reported to Red Hat."
            },
            {
              "lang": "en",
              "time": "2025-08-20T00:00:00.000Z",
              "value": "Made public."
            }
          ],
          "title": "Cryostat: authentication bypass if network policies are disabled",
          "workarounds": [
            {
              "lang": "en",
              "value": "Cryostat is not vulnerable by default, as Network Policy is enabled and prevents this behavior. Make sure the Network Policies are enabled in Custom Resources and that the underlying cluster network stack supports Network Policies."
            }
          ],
          "x_generator": {
            "engine": "cvelib 1.8.0"
          },
          "x_redhatCweChain": "CWE-289: Authentication Bypass by Alternate Name"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "assignerShortName": "redhat",
        "cveId": "CVE-2025-8415",
        "datePublished": "2025-08-20T16:14:33.566Z",
        "dateReserved": "2025-07-31T13:42:35.044Z",
        "dateUpdated": "2025-12-23T22:37:35.912Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-12397 (GCVE-0-2024-12397)

    Vulnerability from nvd – Published: 2024-12-12 09:05 – Updated: 2026-01-28 15:45
    VLAI
    Title
    Io.quarkus.http/quarkus-http-core: quarkus http cookie smuggling
    Summary
    A flaw was found in Quarkus-HTTP, which incorrectly parses cookies with certain value-delimiting characters in incoming requests. This issue could allow an attacker to construct a cookie value to exfiltrate HttpOnly cookie values or spoof arbitrary additional cookie values, leading to unauthorized data access or modification. The main threat from this flaw impacts data confidentiality and integrity.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-444 - Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
    Assigner
    References
    URL Tags
    https://access.redhat.com/errata/RHSA-2025:0900 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2025:3018 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2025:8761 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/security/cve/CVE-2024-12397 vdb-entryx_refsource_REDHAT
    https://bugzilla.redhat.com/show_bug.cgi?id=2331298 issue-trackingx_refsource_REDHAT
    Impacted products
    Vendor Product Version
    Affected: 0 , < 5.3.4 (semver)
    Red Hat Cryostat 4 on RHEL 9 Unaffected: 0.5.0-6 , < * (rpm)
        cpe:/a:redhat:cryostat:4::el9
    Create a notification for this product.
    Red Hat Cryostat 4 on RHEL 9 Unaffected: 4.0.0-7 , < * (rpm)
        cpe:/a:redhat:cryostat:4::el9
    Create a notification for this product.
    Red Hat HawtIO HawtIO 4.2.0     cpe:/a:redhat:apache_camel_hawtio:4.2::el6
    Create a notification for this product.
    Red Hat Red Hat build of Quarkus 3.15.3     cpe:/a:redhat:quarkus:3.15::el8
    Create a notification for this product.
    Red Hat Cryostat 3     cpe:/a:redhat:cryostat:3
    Create a notification for this product.
    Red Hat Red Hat build of Apache Camel 4 for Quarkus 3     cpe:/a:redhat:camel_quarkus:3
    Create a notification for this product.
    Red Hat Red Hat build of Apicurio Registry 2     cpe:/a:redhat:service_registry:2
    Create a notification for this product.
    Red Hat Red Hat Build of Keycloak     cpe:/a:redhat:build_keycloak:
    Create a notification for this product.
    Red Hat Red Hat build of OptaPlanner 8     cpe:/a:redhat:optaplanner:::el6
    Create a notification for this product.
    Red Hat Red Hat Fuse 7     cpe:/a:redhat:jboss_fuse:7
    Create a notification for this product.
    Red Hat Red Hat Integration Camel K 1     cpe:/a:redhat:integration:1
    Create a notification for this product.
    Red Hat Red Hat JBoss Enterprise Application Platform 8     cpe:/a:redhat:jboss_enterprise_application_platform:8
    Create a notification for this product.
    Red Hat Red Hat JBoss Enterprise Application Platform Expansion Pack     cpe:/a:redhat:jbosseapxp
    Create a notification for this product.
    Red Hat Red Hat Process Automation 7     cpe:/a:redhat:jboss_enterprise_bpms_platform:7
    Create a notification for this product.
    Red Hat streams for Apache Kafka     cpe:/a:redhat:amq_streams:1
    Create a notification for this product.
    Date Public
    2024-12-10 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-12397",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-12-12T15:31:47.316503Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-12-12T15:45:08.143Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://github.com/quarkusio/quarkus-http",
              "defaultStatus": "unaffected",
              "packageName": "quarkus-http",
              "versions": [
                {
                  "lessThan": "5.3.4",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:cryostat:4::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "cryostat/cryostat-agent-init-rhel9",
              "product": "Cryostat 4 on RHEL 9",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "0.5.0-6",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:cryostat:4::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "cryostat/cryostat-db-rhel9",
              "product": "Cryostat 4 on RHEL 9",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "4.0.0-7",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:cryostat:4::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "cryostat/cryostat-grafana-dashboard-rhel9",
              "product": "Cryostat 4 on RHEL 9",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "4.0.0-7",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:cryostat:4::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "cryostat/cryostat-openshift-console-plugin-rhel9",
              "product": "Cryostat 4 on RHEL 9",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "4.0.0-7",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:cryostat:4::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "cryostat/cryostat-operator-bundle",
              "product": "Cryostat 4 on RHEL 9",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "4.0.0-7",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:cryostat:4::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "cryostat/cryostat-ose-oauth-proxy-rhel9",
              "product": "Cryostat 4 on RHEL 9",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "4.0.0-7",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:cryostat:4::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "cryostat/cryostat-reports-rhel9",
              "product": "Cryostat 4 on RHEL 9",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "4.0.0-7",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:cryostat:4::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "cryostat/cryostat-rhel9",
              "product": "Cryostat 4 on RHEL 9",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "4.0.0-7",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:cryostat:4::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "cryostat/cryostat-rhel9-operator",
              "product": "Cryostat 4 on RHEL 9",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "4.0.0-7",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:cryostat:4::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "cryostat/cryostat-storage-rhel9",
              "product": "Cryostat 4 on RHEL 9",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "4.0.0-7",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:cryostat:4::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "cryostat/jfr-datasource-rhel9",
              "product": "Cryostat 4 on RHEL 9",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "4.0.0-7",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:apache_camel_hawtio:4.2::el6"
              ],
              "defaultStatus": "unaffected",
              "packageName": "io.quarkus.http/quarkus-http-core",
              "product": "HawtIO HawtIO 4.2.0",
              "vendor": "Red Hat"
            },
            {
              "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html",
              "cpes": [
                "cpe:/a:redhat:quarkus:3.15::el8"
              ],
              "defaultStatus": "unaffected",
              "packageName": "io.quarkus.http/quarkus-http-core",
              "product": "Red Hat build of Quarkus 3.15.3",
              "vendor": "Red Hat"
            },
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:cryostat:3"
              ],
              "defaultStatus": "affected",
              "packageName": "io.quarkus.http/quarkus-http-core",
              "product": "Cryostat 3",
              "vendor": "Red Hat"
            },
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:camel_quarkus:3"
              ],
              "defaultStatus": "affected",
              "packageName": "com.redhat.quarkus.platform/quarkus-camel-bom",
              "product": "Red Hat build of Apache Camel 4 for Quarkus 3",
              "vendor": "Red Hat"
            },
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:camel_quarkus:3"
              ],
              "defaultStatus": "affected",
              "packageName": "com.redhat.quarkus.platform/quarkus-cxf-bom",
              "product": "Red Hat build of Apache Camel 4 for Quarkus 3",
              "vendor": "Red Hat"
            },
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:service_registry:2"
              ],
              "defaultStatus": "affected",
              "packageName": "io.quarkus.http/quarkus-http-core",
              "product": "Red Hat build of Apicurio Registry 2",
              "vendor": "Red Hat"
            },
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:build_keycloak:"
              ],
              "defaultStatus": "affected",
              "packageName": "io.quarkus.http/quarkus-http-core",
              "product": "Red Hat Build of Keycloak",
              "vendor": "Red Hat"
            },
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:optaplanner:::el6"
              ],
              "defaultStatus": "affected",
              "packageName": "io.quarkus.http/quarkus-http-core",
              "product": "Red Hat build of OptaPlanner 8",
              "vendor": "Red Hat"
            },
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:jboss_fuse:7"
              ],
              "defaultStatus": "unknown",
              "packageName": "io.quarkus.http/quarkus-http-core",
              "product": "Red Hat Fuse 7",
              "vendor": "Red Hat"
            },
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:integration:1"
              ],
              "defaultStatus": "affected",
              "packageName": "io.quarkus.http/quarkus-http-core",
              "product": "Red Hat Integration Camel K 1",
              "vendor": "Red Hat"
            },
            {
              "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html",
              "cpes": [
                "cpe:/a:redhat:jboss_enterprise_application_platform:8"
              ],
              "defaultStatus": "unaffected",
              "packageName": "io.quarkus.http/quarkus-http-core",
              "product": "Red Hat JBoss Enterprise Application Platform 8",
              "vendor": "Red Hat"
            },
            {
              "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html",
              "cpes": [
                "cpe:/a:redhat:jbosseapxp"
              ],
              "defaultStatus": "unaffected",
              "packageName": "io.quarkus.http/quarkus-http-core",
              "product": "Red Hat JBoss Enterprise Application Platform Expansion Pack",
              "vendor": "Red Hat"
            },
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:jboss_enterprise_bpms_platform:7"
              ],
              "defaultStatus": "affected",
              "packageName": "io.quarkus.http/quarkus-http-core",
              "product": "Red Hat Process Automation 7",
              "vendor": "Red Hat"
            },
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:amq_streams:1"
              ],
              "defaultStatus": "affected",
              "packageName": "io.quarkus.http/quarkus-http-core",
              "product": "streams for Apache Kafka",
              "vendor": "Red Hat"
            }
          ],
          "datePublic": "2024-12-10T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "A flaw was found in Quarkus-HTTP, which incorrectly parses cookies with\ncertain value-delimiting characters in incoming requests. This issue could\nallow an attacker to construct a cookie value to exfiltrate HttpOnly cookie\nvalues or spoof arbitrary additional cookie values, leading to unauthorized\ndata access or modification. The main threat from this flaw impacts data\nconfidentiality and integrity."
            }
          ],
          "metrics": [
            {
              "other": {
                "content": {
                  "namespace": "https://access.redhat.com/security/updates/classification/",
                  "value": "Moderate"
                },
                "type": "Red Hat severity rating"
              }
            },
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 7.4,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
                "version": "3.1"
              },
              "format": "CVSS"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-444",
                  "description": "Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-01-28T15:45:38.773Z",
            "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
            "shortName": "redhat"
          },
          "references": [
            {
              "name": "RHSA-2025:0900",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2025:0900"
            },
            {
              "name": "RHSA-2025:3018",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2025:3018"
            },
            {
              "name": "RHSA-2025:8761",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2025:8761"
            },
            {
              "tags": [
                "vdb-entry",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/security/cve/CVE-2024-12397"
            },
            {
              "name": "RHBZ#2331298",
              "tags": [
                "issue-tracking",
                "x_refsource_REDHAT"
              ],
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2331298"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2024-12-10T01:15:33.380Z",
              "value": "Reported to Red Hat."
            },
            {
              "lang": "en",
              "time": "2024-12-10T00:00:00.000Z",
              "value": "Made public."
            }
          ],
          "title": "Io.quarkus.http/quarkus-http-core: quarkus http cookie smuggling",
          "workarounds": [
            {
              "lang": "en",
              "value": "Currently, no mitigation is available for this vulnerability."
            }
          ],
          "x_generator": {
            "engine": "cvelib 1.8.0"
          },
          "x_redhatCweChain": "CWE-444: Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "assignerShortName": "redhat",
        "cveId": "CVE-2024-12397",
        "datePublished": "2024-12-12T09:05:28.451Z",
        "dateReserved": "2024-12-10T01:22:12.303Z",
        "dateUpdated": "2026-01-28T15:45:38.773Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-8415 (GCVE-0-2025-8415)

    Vulnerability from cvelistv5 – Published: 2025-08-20 16:14 – Updated: 2025-12-23 22:37
    VLAI
    Title
    Cryostat: authentication bypass if network policies are disabled
    Summary
    A vulnerability was found in the Cryostat HTTP API. Cryostat's HTTP API binds to all network interfaces, allowing possible external visibility and access to the API port if Network Policies are disabled, allowing an unauthenticated, malicious attacker to jeopardize the environment.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-289 - Authentication Bypass by Alternate Name
    Assigner
    Impacted products
    Vendor Product Version
    Cryostat Cryostat Affected: 0 , < 4.0.2 (semver)
    Create a notification for this product.
    Red Hat Cryostat 4 on RHEL 9 Unaffected: 0.5.2-3 , < * (rpm)
        cpe:/a:redhat:cryostat:4::el9
    Create a notification for this product.
    Red Hat Cryostat 4 on RHEL 9 Unaffected: 4.0.2-3 , < * (rpm)
        cpe:/a:redhat:cryostat:4::el9
    Create a notification for this product.
    Red Hat Cryostat 4     cpe:/a:redhat:cryostat:4
    Create a notification for this product.
    Date Public
    2025-08-20 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-8415",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-08-20T18:43:09.674363Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-08-20T18:43:17.330Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://github.com/cryostatio/cryostat",
              "defaultStatus": "unaffected",
              "packageName": "cryostat",
              "product": "Cryostat",
              "vendor": "Cryostat",
              "versions": [
                {
                  "lessThan": "4.0.2",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:cryostat:4::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "cryostat/cryostat-agent-init-rhel9",
              "product": "Cryostat 4 on RHEL 9",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "0.5.2-3",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:cryostat:4::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "cryostat/cryostat-db-rhel9",
              "product": "Cryostat 4 on RHEL 9",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "4.0.2-3",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:cryostat:4::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "cryostat/cryostat-grafana-dashboard-rhel9",
              "product": "Cryostat 4 on RHEL 9",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "4.0.2-3",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:cryostat:4::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "cryostat/cryostat-openshift-console-plugin-rhel9",
              "product": "Cryostat 4 on RHEL 9",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "4.0.2-3",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:cryostat:4::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "cryostat/cryostat-operator-bundle",
              "product": "Cryostat 4 on RHEL 9",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "4.0.2-3",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:cryostat:4::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "cryostat/cryostat-ose-oauth-proxy-rhel9",
              "product": "Cryostat 4 on RHEL 9",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "4.0.2-3",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:cryostat:4::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "cryostat/cryostat-reports-rhel9",
              "product": "Cryostat 4 on RHEL 9",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "4.0.2-3",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:cryostat:4::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "cryostat/cryostat-rhel9",
              "product": "Cryostat 4 on RHEL 9",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "4.0.2-3",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:cryostat:4::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "cryostat/cryostat-rhel9-operator",
              "product": "Cryostat 4 on RHEL 9",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "4.0.2-3",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:cryostat:4::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "cryostat/cryostat-storage-rhel9",
              "product": "Cryostat 4 on RHEL 9",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "4.0.2-3",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:cryostat:4::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "cryostat/jfr-datasource-rhel9",
              "product": "Cryostat 4 on RHEL 9",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "4.0.2-3",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:cryostat:4"
              ],
              "defaultStatus": "affected",
              "packageName": "cryostat",
              "product": "Cryostat 4",
              "vendor": "Red Hat"
            },
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:cryostat:4"
              ],
              "defaultStatus": "affected",
              "packageName": "cryostat/cryostat-rhel9",
              "product": "Cryostat 4",
              "vendor": "Red Hat"
            },
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:cryostat:4"
              ],
              "defaultStatus": "affected",
              "packageName": "cryostat/cryostat-rhel9-operator",
              "product": "Cryostat 4",
              "vendor": "Red Hat"
            }
          ],
          "datePublic": "2025-08-20T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "A vulnerability was found in the Cryostat HTTP API. Cryostat\u0027s HTTP API binds to all network interfaces, allowing possible external visibility and access to the API port if Network Policies are disabled, allowing an unauthenticated, malicious attacker to jeopardize the environment."
            }
          ],
          "metrics": [
            {
              "other": {
                "content": {
                  "namespace": "https://access.redhat.com/security/updates/classification/",
                  "value": "Moderate"
                },
                "type": "Red Hat severity rating"
              }
            },
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.9,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N",
                "version": "3.1"
              },
              "format": "CVSS"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-289",
                  "description": "Authentication Bypass by Alternate Name",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-12-23T22:37:35.912Z",
            "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
            "shortName": "redhat"
          },
          "references": [
            {
              "name": "RHSA-2025:14919",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2025:14919"
            },
            {
              "tags": [
                "vdb-entry",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/security/cve/CVE-2025-8415"
            },
            {
              "name": "RHBZ#2385773",
              "tags": [
                "issue-tracking",
                "x_refsource_REDHAT"
              ],
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2385773"
            },
            {
              "url": "https://github.com/cryostatio/cryostat/pull/1001"
            },
            {
              "url": "https://github.com/cryostatio/cryostat/releases/tag/v4.0.2"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2025-07-31T13:30:18.157Z",
              "value": "Reported to Red Hat."
            },
            {
              "lang": "en",
              "time": "2025-08-20T00:00:00.000Z",
              "value": "Made public."
            }
          ],
          "title": "Cryostat: authentication bypass if network policies are disabled",
          "workarounds": [
            {
              "lang": "en",
              "value": "Cryostat is not vulnerable by default, as Network Policy is enabled and prevents this behavior. Make sure the Network Policies are enabled in Custom Resources and that the underlying cluster network stack supports Network Policies."
            }
          ],
          "x_generator": {
            "engine": "cvelib 1.8.0"
          },
          "x_redhatCweChain": "CWE-289: Authentication Bypass by Alternate Name"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "assignerShortName": "redhat",
        "cveId": "CVE-2025-8415",
        "datePublished": "2025-08-20T16:14:33.566Z",
        "dateReserved": "2025-07-31T13:42:35.044Z",
        "dateUpdated": "2025-12-23T22:37:35.912Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-12397 (GCVE-0-2024-12397)

    Vulnerability from cvelistv5 – Published: 2024-12-12 09:05 – Updated: 2026-01-28 15:45
    VLAI
    Title
    Io.quarkus.http/quarkus-http-core: quarkus http cookie smuggling
    Summary
    A flaw was found in Quarkus-HTTP, which incorrectly parses cookies with certain value-delimiting characters in incoming requests. This issue could allow an attacker to construct a cookie value to exfiltrate HttpOnly cookie values or spoof arbitrary additional cookie values, leading to unauthorized data access or modification. The main threat from this flaw impacts data confidentiality and integrity.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-444 - Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
    Assigner
    References
    URL Tags
    https://access.redhat.com/errata/RHSA-2025:0900 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2025:3018 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2025:8761 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/security/cve/CVE-2024-12397 vdb-entryx_refsource_REDHAT
    https://bugzilla.redhat.com/show_bug.cgi?id=2331298 issue-trackingx_refsource_REDHAT
    Impacted products
    Vendor Product Version
    Affected: 0 , < 5.3.4 (semver)
    Red Hat Cryostat 4 on RHEL 9 Unaffected: 0.5.0-6 , < * (rpm)
        cpe:/a:redhat:cryostat:4::el9
    Create a notification for this product.
    Red Hat Cryostat 4 on RHEL 9 Unaffected: 4.0.0-7 , < * (rpm)
        cpe:/a:redhat:cryostat:4::el9
    Create a notification for this product.
    Red Hat HawtIO HawtIO 4.2.0     cpe:/a:redhat:apache_camel_hawtio:4.2::el6
    Create a notification for this product.
    Red Hat Red Hat build of Quarkus 3.15.3     cpe:/a:redhat:quarkus:3.15::el8
    Create a notification for this product.
    Red Hat Cryostat 3     cpe:/a:redhat:cryostat:3
    Create a notification for this product.
    Red Hat Red Hat build of Apache Camel 4 for Quarkus 3     cpe:/a:redhat:camel_quarkus:3
    Create a notification for this product.
    Red Hat Red Hat build of Apicurio Registry 2     cpe:/a:redhat:service_registry:2
    Create a notification for this product.
    Red Hat Red Hat Build of Keycloak     cpe:/a:redhat:build_keycloak:
    Create a notification for this product.
    Red Hat Red Hat build of OptaPlanner 8     cpe:/a:redhat:optaplanner:::el6
    Create a notification for this product.
    Red Hat Red Hat Fuse 7     cpe:/a:redhat:jboss_fuse:7
    Create a notification for this product.
    Red Hat Red Hat Integration Camel K 1     cpe:/a:redhat:integration:1
    Create a notification for this product.
    Red Hat Red Hat JBoss Enterprise Application Platform 8     cpe:/a:redhat:jboss_enterprise_application_platform:8
    Create a notification for this product.
    Red Hat Red Hat JBoss Enterprise Application Platform Expansion Pack     cpe:/a:redhat:jbosseapxp
    Create a notification for this product.
    Red Hat Red Hat Process Automation 7     cpe:/a:redhat:jboss_enterprise_bpms_platform:7
    Create a notification for this product.
    Red Hat streams for Apache Kafka     cpe:/a:redhat:amq_streams:1
    Create a notification for this product.
    Date Public
    2024-12-10 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-12397",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-12-12T15:31:47.316503Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-12-12T15:45:08.143Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://github.com/quarkusio/quarkus-http",
              "defaultStatus": "unaffected",
              "packageName": "quarkus-http",
              "versions": [
                {
                  "lessThan": "5.3.4",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:cryostat:4::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "cryostat/cryostat-agent-init-rhel9",
              "product": "Cryostat 4 on RHEL 9",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "0.5.0-6",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:cryostat:4::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "cryostat/cryostat-db-rhel9",
              "product": "Cryostat 4 on RHEL 9",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "4.0.0-7",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:cryostat:4::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "cryostat/cryostat-grafana-dashboard-rhel9",
              "product": "Cryostat 4 on RHEL 9",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "4.0.0-7",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:cryostat:4::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "cryostat/cryostat-openshift-console-plugin-rhel9",
              "product": "Cryostat 4 on RHEL 9",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "4.0.0-7",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:cryostat:4::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "cryostat/cryostat-operator-bundle",
              "product": "Cryostat 4 on RHEL 9",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "4.0.0-7",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:cryostat:4::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "cryostat/cryostat-ose-oauth-proxy-rhel9",
              "product": "Cryostat 4 on RHEL 9",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "4.0.0-7",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:cryostat:4::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "cryostat/cryostat-reports-rhel9",
              "product": "Cryostat 4 on RHEL 9",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "4.0.0-7",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:cryostat:4::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "cryostat/cryostat-rhel9",
              "product": "Cryostat 4 on RHEL 9",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "4.0.0-7",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:cryostat:4::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "cryostat/cryostat-rhel9-operator",
              "product": "Cryostat 4 on RHEL 9",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "4.0.0-7",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:cryostat:4::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "cryostat/cryostat-storage-rhel9",
              "product": "Cryostat 4 on RHEL 9",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "4.0.0-7",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://catalog.redhat.com/software/containers/",
              "cpes": [
                "cpe:/a:redhat:cryostat:4::el9"
              ],
              "defaultStatus": "affected",
              "packageName": "cryostat/jfr-datasource-rhel9",
              "product": "Cryostat 4 on RHEL 9",
              "vendor": "Red Hat",
              "versions": [
                {
                  "lessThan": "*",
                  "status": "unaffected",
                  "version": "4.0.0-7",
                  "versionType": "rpm"
                }
              ]
            },
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:apache_camel_hawtio:4.2::el6"
              ],
              "defaultStatus": "unaffected",
              "packageName": "io.quarkus.http/quarkus-http-core",
              "product": "HawtIO HawtIO 4.2.0",
              "vendor": "Red Hat"
            },
            {
              "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html",
              "cpes": [
                "cpe:/a:redhat:quarkus:3.15::el8"
              ],
              "defaultStatus": "unaffected",
              "packageName": "io.quarkus.http/quarkus-http-core",
              "product": "Red Hat build of Quarkus 3.15.3",
              "vendor": "Red Hat"
            },
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:cryostat:3"
              ],
              "defaultStatus": "affected",
              "packageName": "io.quarkus.http/quarkus-http-core",
              "product": "Cryostat 3",
              "vendor": "Red Hat"
            },
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:camel_quarkus:3"
              ],
              "defaultStatus": "affected",
              "packageName": "com.redhat.quarkus.platform/quarkus-camel-bom",
              "product": "Red Hat build of Apache Camel 4 for Quarkus 3",
              "vendor": "Red Hat"
            },
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:camel_quarkus:3"
              ],
              "defaultStatus": "affected",
              "packageName": "com.redhat.quarkus.platform/quarkus-cxf-bom",
              "product": "Red Hat build of Apache Camel 4 for Quarkus 3",
              "vendor": "Red Hat"
            },
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:service_registry:2"
              ],
              "defaultStatus": "affected",
              "packageName": "io.quarkus.http/quarkus-http-core",
              "product": "Red Hat build of Apicurio Registry 2",
              "vendor": "Red Hat"
            },
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:build_keycloak:"
              ],
              "defaultStatus": "affected",
              "packageName": "io.quarkus.http/quarkus-http-core",
              "product": "Red Hat Build of Keycloak",
              "vendor": "Red Hat"
            },
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:optaplanner:::el6"
              ],
              "defaultStatus": "affected",
              "packageName": "io.quarkus.http/quarkus-http-core",
              "product": "Red Hat build of OptaPlanner 8",
              "vendor": "Red Hat"
            },
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:jboss_fuse:7"
              ],
              "defaultStatus": "unknown",
              "packageName": "io.quarkus.http/quarkus-http-core",
              "product": "Red Hat Fuse 7",
              "vendor": "Red Hat"
            },
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:integration:1"
              ],
              "defaultStatus": "affected",
              "packageName": "io.quarkus.http/quarkus-http-core",
              "product": "Red Hat Integration Camel K 1",
              "vendor": "Red Hat"
            },
            {
              "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html",
              "cpes": [
                "cpe:/a:redhat:jboss_enterprise_application_platform:8"
              ],
              "defaultStatus": "unaffected",
              "packageName": "io.quarkus.http/quarkus-http-core",
              "product": "Red Hat JBoss Enterprise Application Platform 8",
              "vendor": "Red Hat"
            },
            {
              "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html",
              "cpes": [
                "cpe:/a:redhat:jbosseapxp"
              ],
              "defaultStatus": "unaffected",
              "packageName": "io.quarkus.http/quarkus-http-core",
              "product": "Red Hat JBoss Enterprise Application Platform Expansion Pack",
              "vendor": "Red Hat"
            },
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:jboss_enterprise_bpms_platform:7"
              ],
              "defaultStatus": "affected",
              "packageName": "io.quarkus.http/quarkus-http-core",
              "product": "Red Hat Process Automation 7",
              "vendor": "Red Hat"
            },
            {
              "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
              "cpes": [
                "cpe:/a:redhat:amq_streams:1"
              ],
              "defaultStatus": "affected",
              "packageName": "io.quarkus.http/quarkus-http-core",
              "product": "streams for Apache Kafka",
              "vendor": "Red Hat"
            }
          ],
          "datePublic": "2024-12-10T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "A flaw was found in Quarkus-HTTP, which incorrectly parses cookies with\ncertain value-delimiting characters in incoming requests. This issue could\nallow an attacker to construct a cookie value to exfiltrate HttpOnly cookie\nvalues or spoof arbitrary additional cookie values, leading to unauthorized\ndata access or modification. The main threat from this flaw impacts data\nconfidentiality and integrity."
            }
          ],
          "metrics": [
            {
              "other": {
                "content": {
                  "namespace": "https://access.redhat.com/security/updates/classification/",
                  "value": "Moderate"
                },
                "type": "Red Hat severity rating"
              }
            },
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 7.4,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
                "version": "3.1"
              },
              "format": "CVSS"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-444",
                  "description": "Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-01-28T15:45:38.773Z",
            "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
            "shortName": "redhat"
          },
          "references": [
            {
              "name": "RHSA-2025:0900",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2025:0900"
            },
            {
              "name": "RHSA-2025:3018",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2025:3018"
            },
            {
              "name": "RHSA-2025:8761",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2025:8761"
            },
            {
              "tags": [
                "vdb-entry",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/security/cve/CVE-2024-12397"
            },
            {
              "name": "RHBZ#2331298",
              "tags": [
                "issue-tracking",
                "x_refsource_REDHAT"
              ],
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2331298"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2024-12-10T01:15:33.380Z",
              "value": "Reported to Red Hat."
            },
            {
              "lang": "en",
              "time": "2024-12-10T00:00:00.000Z",
              "value": "Made public."
            }
          ],
          "title": "Io.quarkus.http/quarkus-http-core: quarkus http cookie smuggling",
          "workarounds": [
            {
              "lang": "en",
              "value": "Currently, no mitigation is available for this vulnerability."
            }
          ],
          "x_generator": {
            "engine": "cvelib 1.8.0"
          },
          "x_redhatCweChain": "CWE-444: Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "assignerShortName": "redhat",
        "cveId": "CVE-2024-12397",
        "datePublished": "2024-12-12T09:05:28.451Z",
        "dateReserved": "2024-12-10T01:22:12.303Z",
        "dateUpdated": "2026-01-28T15:45:38.773Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }