CVE-2024-53990

CVSS v4.0

9.2

Critical

Vector

AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Name of the Vulnerable Software and Affected Versions AsyncHttpClient versions prior to 3.0.1

Description The AsyncHttpClient library has an issue where the automatically enabled and self-managed CookieStore silently replaces explicitly defined Cookies with any that have the same name from the cookie jar. This can result in one user's Cookie being used for another user's requests in services that operate with multiple users. The vulnerability can lead to unauthorized access to protected information.

Recommendations For versions prior to 3.0.1, upgrade to version 3.0.1 to mitigate the risks. As a temporary workaround, consider disabling the CookieStore during client creation by setting the cookie store to null, for example:

DefaultAsyncHttpClientConfig.Builder clientBuilder = Dsl.config()
 .setCookieStore(null)
 // other configuration
 ;```

Exploit

Fix

Improper Authentication

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-287

Related Identifiers

BDU:2024-11486

CVE-2024-53990

GHSA-MFJ5-CF8G-G2FV

Affected Products

Async Http Client

Debian

CVE-2024-53990

Weakness Enumeration

Related Identifiers

Affected Products

References · 25