CVE-2023-4639 — Undertow incorrectly parses cookies

Description

A flaw was found in Undertow, which incorrectly parses cookies with certain value-delimiting characters in incoming requests. This issue could allow an attacker to construct a cookie value to exfiltrate HttpOnly cookie values or spoof arbitrary additional cookie values, leading to unauthorized data access or modification. The main threat from this flaw impacts data confidentiality and integrity.

How to fix CVE-2023-4639

To remediate CVE-2023-4639, upgrade the affected package to a fixed version below.

—upgrade to 2.3.18-1 or later
—upgrade to 2.3.18-1 or later
—upgrade to 2.3.11.Final or later

Is CVE-2023-4639 being exploited?

Moderate — EPSS is 7.4%. Track this CVE but it's not at the top of the prioritisation list.

Affected packages (3)

from 0, < 2.3.18-1
from 0, < 2.3.18-1
>= 2.3.0.Alpha1, < 2.3.11.Final

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.4	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

References (15)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2023-4639
ADVISORYsecurity.netapp.com/advisory/ntap-20250207-0001/
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2023-4639
PATCHgithub.com/undertow-io/undertow
WEB