{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-4639", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "state": "PUBLISHED", "assignerShortName": "redhat", "dateReserved": "2023-08-30T14:52:04.007Z", "datePublished": "2024-11-17T10:21:44.539Z", "dateUpdated": "2024-11-17T16:17:46.027Z"}, "containers": {"cna": {"title": "Undertow: cookie smuggling/spoofing", "metrics": [{"other": {"content": {"value": "Moderate", "namespace": "https://access.redhat.com/security/updates/classification/"}, "type": "Red Hat severity rating"}}, {"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "format": "CVSS"}], "descriptions": [{"lang": "en", "value": "A flaw was found in Undertow, which incorrectly parses cookies with certain value-delimiting characters in incoming requests. This issue could allow an attacker to construct a cookie value to exfiltrate HttpOnly cookie values or spoof arbitrary additional cookie values, leading to unauthorized data access or modification. The main threat from this flaw impacts data confidentiality and integrity."}], "affected": [{"vendor": "Red Hat", "product": "Migration Toolkit for Runtimes 1 on RHEL 8", "collectionURL": "https://catalog.redhat.com/software/containers/", "packageName": "mtr/mtr-operator-bundle", "defaultStatus": "affected", "versions": [{"version": "1.2-23", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:migration_toolkit_runtimes:1.0::el8"]}, {"vendor": "Red Hat", "product": "Migration Toolkit for Runtimes 1 on RHEL 8", "collectionURL": "https://catalog.redhat.com/software/containers/", "packageName": "mtr/mtr-rhel8-operator", "defaultStatus": "affected", "versions": [{"version": "1.2-15", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:migration_toolkit_runtimes:1.0::el8"]}, {"vendor": "Red Hat", "product": "Migration Toolkit for Runtimes 1 on RHEL 8", "collectionURL": "https://catalog.redhat.com/software/containers/", "packageName": "mtr/mtr-web-container-rhel8", "defaultStatus": "affected", "versions": [{"version": "1.2-16", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:migration_toolkit_runtimes:1.0::el8"]}, {"vendor": "Red Hat", "product": "Migration Toolkit for Runtimes 1 on RHEL 8", "collectionURL": "https://catalog.redhat.com/software/containers/", "packageName": "mtr/mtr-web-executor-container-rhel8", "defaultStatus": "affected", "versions": [{"version": "1.2-14", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:migration_toolkit_runtimes:1.0::el8"]}, {"vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 7", "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html", "defaultStatus": "unaffected", "packageName": "undertow", "cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:7.4"]}, {"vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "eap7-undertow", "defaultStatus": "affected", "versions": [{"version": "0:2.2.30-1.SP1_redhat_00001.1.el8eap", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8"]}, {"vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "eap7-undertow", "defaultStatus": "affected", "versions": [{"version": "0:2.2.30-1.SP1_redhat_00001.1.el9eap", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9"]}, {"vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "eap7-undertow", "defaultStatus": "affected", "versions": [{"version": "0:2.2.30-1.SP1_redhat_00001.1.el7eap", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7"]}, {"vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 8", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "unaffected", "packageName": "undertow", "cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:8.0"]}, {"vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "eap8-undertow", "defaultStatus": "affected", "versions": [{"version": "0:2.3.11-1.SP1_redhat_00001.1.el8eap", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8", "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9"]}, {"vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "eap8-undertow", "defaultStatus": "affected", "versions": [{"version": "0:2.3.11-1.SP1_redhat_00001.1.el9eap", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8", "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9"]}, {"vendor": "Red Hat", "product": "Migration Toolkit for Applications 6", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "org.keycloak-keycloak-parent", "defaultStatus": "affected", "cpes": ["cpe:/a:redhat:migration_toolkit_applications:6"]}, {"vendor": "Red Hat", "product": "Red Hat build of Apache Camel for Spring Boot 3", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "undertow", "defaultStatus": "unaffected", "cpes": ["cpe:/a:redhat:camel_spring_boot:3"]}, {"vendor": "Red Hat", "product": "Red Hat build of Apicurio Registry", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "undertow", "defaultStatus": "unknown", "cpes": ["cpe:/a:redhat:service_registry:2"]}, {"vendor": "Red Hat", "product": "Red Hat build of Quarkus", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "io.quarkus/quarkus-undertow", "defaultStatus": "unknown", "cpes": ["cpe:/a:redhat:quarkus:2"]}, {"vendor": "Red Hat", "product": "Red Hat Data Grid 8", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "undertow", "defaultStatus": "unaffected", "cpes": ["cpe:/a:redhat:jboss_data_grid:8"]}, {"vendor": "Red Hat", "product": "Red Hat Decision Manager 7", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "undertow", "defaultStatus": "unknown", "cpes": ["cpe:/a:redhat:jboss_enterprise_brms_platform:7"]}, {"vendor": "Red Hat", "product": "Red Hat Fuse 7", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "undertow", "defaultStatus": "unknown", "cpes": ["cpe:/a:redhat:jboss_fuse:7"]}, {"vendor": "Red Hat", "product": "Red Hat Integration Camel K", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "undertow", "defaultStatus": "unaffected", "cpes": ["cpe:/a:redhat:integration:1"]}, {"vendor": "Red Hat", "product": "Red Hat Integration Camel Quarkus", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "undertow", "defaultStatus": "unaffected", "cpes": ["cpe:/a:redhat:camel_quarkus:2"]}, {"vendor": "Red Hat", "product": "Red Hat Integration Change Data Capture", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "undertow", "defaultStatus": "unknown", "cpes": ["cpe:/a:redhat:integration:1"]}, {"vendor": "Red Hat", "product": "Red Hat JBoss Data Grid 7", "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html", "packageName": "undertow", "defaultStatus": "unknown", "cpes": ["cpe:/a:redhat:jboss_data_grid:7"]}, {"vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 6", "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html", "packageName": "undertow", "defaultStatus": "unknown", "cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:6"]}, {"vendor": "Red Hat", "product": "Red Hat JBoss Fuse 6", "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html", "packageName": "undertow", "defaultStatus": "unknown", "cpes": ["cpe:/a:redhat:jboss_fuse:6"]}, {"vendor": "Red Hat", "product": "Red Hat JBoss Fuse Service Works 6", "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html", "packageName": "undertow", "defaultStatus": "unknown", "cpes": ["cpe:/a:redhat:jboss_fuse_service_works:6"]}, {"vendor": "Red Hat", "product": "Red Hat Process Automation 7", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "undertow", "defaultStatus": "unknown", "cpes": ["cpe:/a:redhat:jboss_enterprise_bpms_platform:7"]}, {"vendor": "Red Hat", "product": "Red Hat Single Sign-On 7", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "undertow", "defaultStatus": "unknown", "cpes": ["cpe:/a:redhat:red_hat_single_sign_on:7"]}], "references": [{"url": "https://access.redhat.com/errata/RHSA-2024:1674", "name": "RHSA-2024:1674", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2024:1675", "name": "RHSA-2024:1675", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2024:1676", "name": "RHSA-2024:1676", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2024:1677", "name": "RHSA-2024:1677", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2024:2763", "name": "RHSA-2024:2763", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2024:2764", "name": "RHSA-2024:2764", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2024:3919", "name": "RHSA-2024:3919", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/security/cve/CVE-2023-4639", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2166022", "name": "RHBZ#2166022", "tags": ["issue-tracking", "x_refsource_REDHAT"]}], "datePublic": "2024-02-08T00:00:00+00:00", "problemTypes": [{"descriptions": [{"cweId": "CWE-444", "description": "Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')", "lang": "en", "type": "CWE"}]}], "x_redhatCweChain": "CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')", "timeline": [{"lang": "en", "time": "2023-01-28T00:00:00+00:00", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2024-02-08T00:00:00+00:00", "value": "Made public."}], "credits": [{"lang": "en", "value": "Red Hat would like to thank Ankur Sundara for reporting this issue."}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2024-11-17T10:21:44.539Z"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-11-17T16:17:32.886591Z", "id": "CVE-2023-4639", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-11-17T16:17:46.027Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-4639", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-11-17T16:17:32.886591Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-11-17T16:17:40.737Z"}}], "cna": {"title": "Undertow: cookie smuggling/spoofing", "credits": [{"lang": "en", "value": "Red Hat would like to thank Ankur Sundara for reporting this issue."}], "metrics": [{"other": {"type": "Red Hat severity rating", "content": {"value": "Moderate", "namespace": "https://access.redhat.com/security/updates/classification/"}}}, {"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.4, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"cpes": ["cpe:/a:redhat:migration_toolkit_runtimes:1.0::el8"], "vendor": "Red Hat", "product": "Migration Toolkit for Runtimes 1 on RHEL 8", "versions": [{"status": "unaffected", "version": "1.2-23", "lessThan": "*", "versionType": "rpm"}], "packageName": "mtr/mtr-operator-bundle", "collectionURL": "https://catalog.redhat.com/software/containers/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:migration_toolkit_runtimes:1.0::el8"], "vendor": "Red Hat", "product": "Migration Toolkit for Runtimes 1 on RHEL 8", "versions": [{"status": "unaffected", "version": "1.2-15", "lessThan": "*", "versionType": "rpm"}], "packageName": "mtr/mtr-rhel8-operator", "collectionURL": "https://catalog.redhat.com/software/containers/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:migration_toolkit_runtimes:1.0::el8"], "vendor": "Red Hat", "product": "Migration Toolkit for Runtimes 1 on RHEL 8", "versions": [{"status": "unaffected", "version": "1.2-16", "lessThan": "*", "versionType": "rpm"}], "packageName": "mtr/mtr-web-container-rhel8", "collectionURL": "https://catalog.redhat.com/software/containers/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:migration_toolkit_runtimes:1.0::el8"], "vendor": "Red Hat", "product": "Migration Toolkit for Runtimes 1 on RHEL 8", "versions": [{"status": "unaffected", "version": "1.2-14", "lessThan": "*", "versionType": "rpm"}], "packageName": "mtr/mtr-web-executor-container-rhel8", "collectionURL": "https://catalog.redhat.com/software/containers/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:7.4"], "vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 7", "packageName": "undertow", "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html", "defaultStatus": "unaffected"}, {"cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8"], "vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8", "versions": [{"status": "unaffected", "version": "0:2.2.30-1.SP1_redhat_00001.1.el8eap", "lessThan": "*", "versionType": "rpm"}], "packageName": "eap7-undertow", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9"], "vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9", "versions": [{"status": "unaffected", "version": "0:2.2.30-1.SP1_redhat_00001.1.el9eap", "lessThan": "*", "versionType": "rpm"}], "packageName": "eap7-undertow", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7"], "vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7", "versions": [{"status": "unaffected", "version": "0:2.2.30-1.SP1_redhat_00001.1.el7eap", "lessThan": "*", "versionType": "rpm"}], "packageName": "eap7-undertow", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:8.0"], "vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 8", "packageName": "undertow", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "unaffected"}, {"cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8", "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9"], "vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "versions": [{"status": "unaffected", "version": "0:2.3.11-1.SP1_redhat_00001.1.el8eap", "lessThan": "*", "versionType": "rpm"}], "packageName": "eap8-undertow", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8", "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9"], "vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "versions": [{"status": "unaffected", "version": "0:2.3.11-1.SP1_redhat_00001.1.el9eap", "lessThan": "*", "versionType": "rpm"}], "packageName": "eap8-undertow", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:migration_toolkit_applications:6"], "vendor": "Red Hat", "product": "Migration Toolkit for Applications 6", "packageName": "org.keycloak-keycloak-parent", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:camel_spring_boot:3"], "vendor": "Red Hat", "product": "Red Hat build of Apache Camel for Spring Boot 3", "packageName": "undertow", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "unaffected"}, {"cpes": ["cpe:/a:redhat:service_registry:2"], "vendor": "Red Hat", "product": "Red Hat build of Apicurio Registry", "packageName": "undertow", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "unknown"}, {"cpes": ["cpe:/a:redhat:quarkus:2"], "vendor": "Red Hat", "product": "Red Hat build of Quarkus", "packageName": "io.quarkus/quarkus-undertow", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "unknown"}, {"cpes": ["cpe:/a:redhat:jboss_data_grid:8"], "vendor": "Red Hat", "product": "Red Hat Data Grid 8", "packageName": "undertow", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "unaffected"}, {"cpes": ["cpe:/a:redhat:jboss_enterprise_brms_platform:7"], "vendor": "Red Hat", "product": "Red Hat Decision Manager 7", "packageName": "undertow", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "unknown"}, {"cpes": ["cpe:/a:redhat:jboss_fuse:7"], "vendor": "Red Hat", "product": "Red Hat Fuse 7", "packageName": "undertow", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "unknown"}, {"cpes": ["cpe:/a:redhat:integration:1"], "vendor": "Red Hat", "product": "Red Hat Integration Camel K", "packageName": "undertow", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "unaffected"}, {"cpes": ["cpe:/a:redhat:camel_quarkus:2"], "vendor": "Red Hat", "product": "Red Hat Integration Camel Quarkus", "packageName": "undertow", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "unaffected"}, {"cpes": ["cpe:/a:redhat:integration:1"], "vendor": "Red Hat", "product": "Red Hat Integration Change Data Capture", "packageName": "undertow", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "unknown"}, {"cpes": ["cpe:/a:redhat:jboss_data_grid:7"], "vendor": "Red Hat", "product": "Red Hat JBoss Data Grid 7", "packageName": "undertow", "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html", "defaultStatus": "unknown"}, {"cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:6"], "vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 6", "packageName": "undertow", "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html", "defaultStatus": "unknown"}, {"cpes": ["cpe:/a:redhat:jboss_fuse:6"], "vendor": "Red Hat", "product": "Red Hat JBoss Fuse 6", "packageName": "undertow", "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html", "defaultStatus": "unknown"}, {"cpes": ["cpe:/a:redhat:jboss_fuse_service_works:6"], "vendor": "Red Hat", "product": "Red Hat JBoss Fuse Service Works 6", "packageName": "undertow", "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html", "defaultStatus": "unknown"}, {"cpes": ["cpe:/a:redhat:jboss_enterprise_bpms_platform:7"], "vendor": "Red Hat", "product": "Red Hat Process Automation 7", "packageName": "undertow", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "unknown"}, {"cpes": ["cpe:/a:redhat:red_hat_single_sign_on:7"], "vendor": "Red Hat", "product": "Red Hat Single Sign-On 7", "packageName": "undertow", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "unknown"}], "timeline": [{"lang": "en", "time": "2023-01-28T00:00:00+00:00", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2024-02-08T00:00:00+00:00", "value": "Made public."}], "datePublic": "2024-02-08T00:00:00+00:00", "references": [{"url": "https://access.redhat.com/errata/RHSA-2024:1674", "name": "RHSA-2024:1674", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2024:1675", "name": "RHSA-2024:1675", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2024:1676", "name": "RHSA-2024:1676", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2024:1677", "name": "RHSA-2024:1677", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2024:2763", "name": "RHSA-2024:2763", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2024:2764", "name": "RHSA-2024:2764", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2024:3919", "name": "RHSA-2024:3919", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/security/cve/CVE-2023-4639", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2166022", "name": "RHBZ#2166022", "tags": ["issue-tracking", "x_refsource_REDHAT"]}], "descriptions": [{"lang": "en", "value": "A flaw was found in Undertow, which incorrectly parses cookies with certain value-delimiting characters in incoming requests. This issue could allow an attacker to construct a cookie value to exfiltrate HttpOnly cookie values or spoof arbitrary additional cookie values, leading to unauthorized data access or modification. The main threat from this flaw impacts data confidentiality and integrity."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-444", "description": "Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')"}]}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2024-11-17T10:21:44.539Z"}, "x_redhatCweChain": "CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')"}}, "cveMetadata": {"cveId": "CVE-2023-4639", "state": "PUBLISHED", "dateUpdated": "2024-11-17T16:17:46.027Z", "dateReserved": "2023-08-30T14:52:04.007Z", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "datePublished": "2024-11-17T10:21:44.539Z", "assignerShortName": "redhat"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw was found in Undertow, which incorrectly parses cookies with certain value-delimiting characters in incoming requests. This issue could allow an attacker to construct a cookie value to exfiltrate HttpOnly cookie values or spoof arbitrary additional cookie values, leading to unauthorized data access or modification. The main threat from this flaw impacts data confidentiality and integrity."}, {"lang": "es", "value": "Se encontr\u00f3 una falla en Undertow que analiza incorrectamente las cookies con ciertos caracteres que delimitan valores en las solicitudes entrantes. Este problema podr\u00eda permitir que un atacante construya un valor de cookie para extraer valores de cookies HttpOnly o falsificar valores de cookies adicionales arbitrarios, lo que lleva a un acceso o modificaci\u00f3n de datos no autorizados. La principal amenaza de esta falla afecta la confidencialidad e integridad de los datos."}], "id": "CVE-2023-4639", "lastModified": "2024-11-18T17:11:17.393", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 5.2, "source": "secalert@redhat.com", "type": "Primary"}]}, "published": "2024-11-17T11:15:05.840", "references": [{"source": "secalert@redhat.com", "url": "https://access.redhat.com/errata/RHSA-2024:1674"}, {"source": "secalert@redhat.com", "url": "https://access.redhat.com/errata/RHSA-2024:1675"}, {"source": "secalert@redhat.com", "url": "https://access.redhat.com/errata/RHSA-2024:1676"}, {"source": "secalert@redhat.com", "url": "https://access.redhat.com/errata/RHSA-2024:1677"}, {"source": "secalert@redhat.com", "url": "https://access.redhat.com/errata/RHSA-2024:2763"}, {"source": "secalert@redhat.com", "url": "https://access.redhat.com/errata/RHSA-2024:2764"}, {"source": "secalert@redhat.com", "url": "https://access.redhat.com/errata/RHSA-2024:3919"}, {"source": "secalert@redhat.com", "url": "https://access.redhat.com/security/cve/CVE-2023-4639"}, {"source": "secalert@redhat.com", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2166022"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-444"}], "source": "secalert@redhat.com", "type": "Primary"}]}

{"acknowledgement": "Red Hat would like to thank Ankur Sundara for reporting this issue.", "affected_release": [{"advisory": "RHSA-2024:3919", "cpe": "cpe:/a:redhat:migration_toolkit_runtimes:1.0::el8", "package": "mtr/mtr-operator-bundle:1.2-23", "product_name": "Migration Toolkit for Runtimes 1 on RHEL 8", "release_date": "2024-06-13T00:00:00Z"}, {"advisory": "RHSA-2024:3919", "cpe": "cpe:/a:redhat:migration_toolkit_runtimes:1.0::el8", "package": "mtr/mtr-rhel8-operator:1.2-15", "product_name": "Migration Toolkit for Runtimes 1 on RHEL 8", "release_date": "2024-06-13T00:00:00Z"}, {"advisory": "RHSA-2024:3919", "cpe": "cpe:/a:redhat:migration_toolkit_runtimes:1.0::el8", "package": "mtr/mtr-web-container-rhel8:1.2-16", "product_name": "Migration Toolkit for Runtimes 1 on RHEL 8", "release_date": "2024-06-13T00:00:00Z"}, {"advisory": "RHSA-2024:3919", "cpe": "cpe:/a:redhat:migration_toolkit_runtimes:1.0::el8", "package": "mtr/mtr-web-executor-container-rhel8:1.2-14", "product_name": "Migration Toolkit for Runtimes 1 on RHEL 8", "release_date": "2024-06-13T00:00:00Z"}, {"advisory": "RHSA-2024:1677", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4", "package": "undertow", "product_name": "Red Hat JBoss Enterprise Application Platform 7", "release_date": "2024-04-04T00:00:00Z"}, {"advisory": "RHSA-2024:1675", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8", "package": "eap7-undertow-0:2.2.30-1.SP1_redhat_00001.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8", "release_date": "2024-04-04T00:00:00Z"}, {"advisory": "RHSA-2024:1676", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9", "package": "eap7-undertow-0:2.2.30-1.SP1_redhat_00001.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9", "release_date": "2024-04-04T00:00:00Z"}, {"advisory": "RHSA-2024:1674", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7", "package": "eap7-undertow-0:2.2.30-1.SP1_redhat_00001.1.el7eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7", "release_date": "2024-04-04T00:00:00Z"}, {"advisory": "RHSA-2024:2763", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0", "package": "undertow", "product_name": "Red Hat JBoss Enterprise Application Platform 8", "release_date": "2024-05-08T00:00:00Z"}, {"advisory": "RHSA-2024:2764", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8", "package": "eap8-undertow-0:2.3.11-1.SP1_redhat_00001.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "release_date": "2024-05-08T00:00:00Z"}, {"advisory": "RHSA-2024:2764", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-undertow-0:2.3.11-1.SP1_redhat_00001.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2024-05-08T00:00:00Z"}], "bugzilla": {"description": "undertow: Cookie Smuggling/Spoofing", "id": "2166022", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2166022"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.4", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "status": "verified"}, "cwe": "CWE-444", "details": ["A flaw was found in Undertow, which incorrectly parses cookies with certain value-delimiting characters in incoming requests. This issue could allow an attacker to construct a cookie value to exfiltrate HttpOnly cookie values or spoof arbitrary additional cookie values, leading to unauthorized data access or modification. The main threat from this flaw impacts data confidentiality and integrity."], "name": "CVE-2023-4639", "package_state": [{"cpe": "cpe:/a:redhat:migration_toolkit_applications:6", "fix_state": "Will not fix", "package_name": "org.keycloak-keycloak-parent", "product_name": "Migration Toolkit for Applications 6"}, {"cpe": "cpe:/a:redhat:camel_spring_boot:3", "fix_state": "Not affected", "package_name": "undertow", "product_name": "Red Hat build of Apache Camel for Spring Boot 3"}, {"cpe": "cpe:/a:redhat:service_registry:2", "fix_state": "Under investigation", "package_name": "undertow", "product_name": "Red Hat build of Apicurio Registry"}, {"cpe": "cpe:/a:redhat:quarkus:2", "fix_state": "Under investigation", "package_name": "io.quarkus/quarkus-undertow", "product_name": "Red Hat build of Quarkus"}, {"cpe": "cpe:/a:redhat:jboss_data_grid:8", "fix_state": "Not affected", "package_name": "undertow", "product_name": "Red Hat Data Grid 8"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_brms_platform:7", "fix_state": "Under investigation", "package_name": "undertow", "product_name": "Red Hat Decision Manager 7"}, {"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Under investigation", "package_name": "undertow", "product_name": "Red Hat Fuse 7"}, {"cpe": "cpe:/a:redhat:integration:1", "fix_state": "Not affected", "package_name": "undertow", "product_name": "Red Hat Integration Camel K"}, {"cpe": "cpe:/a:redhat:camel_quarkus:2", "fix_state": "Not affected", "package_name": "undertow", "product_name": "Red Hat Integration Camel Quarkus"}, {"cpe": "cpe:/a:redhat:integration:1", "fix_state": "Under investigation", "package_name": "undertow", "product_name": "Red Hat Integration Change Data Capture"}, {"cpe": "cpe:/a:redhat:jboss_data_grid:7", "fix_state": "Out of support scope", "package_name": "undertow", "product_name": "Red Hat JBoss Data Grid 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:6", "fix_state": "Under investigation", "package_name": "undertow", "product_name": "Red Hat JBoss Enterprise Application Platform 6"}, {"cpe": "cpe:/a:redhat:jboss_fuse:6", "fix_state": "Under investigation", "package_name": "undertow", "product_name": "Red Hat JBoss Fuse 6"}, {"cpe": "cpe:/a:redhat:jboss_fuse_service_works:6", "fix_state": "Under investigation", "package_name": "undertow", "product_name": "Red Hat JBoss Fuse Service Works 6"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_bpms_platform:7", "fix_state": "Under investigation", "package_name": "undertow", "product_name": "Red Hat Process Automation 7"}, {"cpe": "cpe:/a:redhat:red_hat_single_sign_on:7", "fix_state": "Under investigation", "package_name": "undertow", "product_name": "Red Hat Single Sign-On 7"}], "public_date": "2024-02-08T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2023-4639\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-4639"], "threat_severity": "Moderate"}