#VU98760 Input validation error in cookie - CVE-2024-47764

Cybersecurity Help s.r.o.

Published: 2024-10-17

Vulnerability identifier: #VU98760

Vulnerability risk: Low

CVSSv4.0: 1.7 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2024-47764

CWE-ID: CWE-20

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
cookie
Web applications / JS libraries

Vendor: jshttp

Description

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to insufficient validation of user-supplied cookies. A remote attacker can pass a specially crafted cookie to the application and alter values passed to the application.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

cookie: 0.0.1 - 0.6.0

External links
https://github.com/jshttp/cookie/security/advisories/GHSA-pxg6-pf52-xh8x
https://github.com/jshttp/cookie/pull/167
https://github.com/jshttp/cookie/commit/e10042845354fea83bd8f34af72475eed1dadf5c

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in QRadar Advisor With Watson for IBM QRadar SIEM

Multiple vulnerabilities in IBM Business Automation Workflow

Multiple vulnerabilities in IBM Planning Analytics Local - IBM Planning Analytics Workspace

Multiple vulnerabilities in IBM QRadar Pulse App

Multiple vulnerabilities in IBM Event Streams

Multiple vulnerabilities in IBM QRadar Data Synchronization App

IBM Maximo Application Suite - Monitor Component update for jshttp cookie

IBM Edge Data Collector update for jshttp cookie

Multiple vulnerabilities in IBM Maximo Application Suite

Multiple vulnerabilities in IBM Cloud Pak for Business Automation