github · advisory-database · Dec 18, 2024 · Dec 17, 2024
diff --git a/advisories/github-reviewed/2024/12/GHSA-mfj5-cf8g-g2fv/GHSA-mfj5-cf8g-g2fv.json b/advisories/github-reviewed/2024/12/GHSA-mfj5-cf8g-g2fv/GHSA-mfj5-cf8g-g2fv.json
@@ -1,13 +1,13 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-mfj5-cf8g-g2fv",
-  "modified": "2024-12-16T22:51:13Z",
+  "modified": "2024-12-16T22:51:15Z",
   "published": "2024-12-02T20:04:43Z",
   "aliases": [
     "CVE-2024-53990"
   ],
   "summary": "AsyncHttpClient (AHC) library's `CookieStore` replaces explicitly defined `Cookie`s",
-  "details": "### Summary\n\nWhen making any HTTP request, the automatically enabled and self-managed `CookieStore` (aka cookie jar) will silently replace explicitly defined `Cookie`s with any that have the same name from the cookie jar. For services that operate with multiple users, this can result in one user's `Cookie` being used for another user's requests.\n\n### Details\n\nThis issue is described without security warnings here:\n\nhttps://github.com/AsyncHttpClient/async-http-client/issues/1964\n\nA PR to fix this issue has been made:\n\nhttps://github.com/AsyncHttpClient/async-http-client/pull/2033\n\n### PoC\n\n1. Add an auth `Cookie` to the `CookieStore`\n    - This is identical to receiving an HTTP response that uses `Set-Cookie`, as shown in issue #1964 above.\n2. Handle a different user's request where the same `Cookie` is provided as a passthrough, like a JWT, and attempt to use it by explicitly providing it.\n3. Observe that the user's cookie in step 2 is passed as the Cookie in step 1.\n\n### Impact\n\nThis is generally going to be a problem for developers of backend services that implement third party auth features and use other features like token refresh. The moment a third party service responds by _setting_ a cookie in the response, the `CookieStore` will effectively break almost every follow-up request (hopefully by being rejected, but possibly by revealing a different user's information).\n\nIf your service sets cookies based on the response that happens here, it's possible to lead to even greater levels of exposure.\n\n### Workaroud\n\nYou can avoid this issue by disabling the `CookieStore` during client creation:\n\n```java\nDefaultAsyncHttpClientConfig.Builder clientBuilder = Dsl.config()\n .setCookieStore(null)\n // other configuration\n ;",
+  "details": "### Summary\n\nWhen making any HTTP request, the automatically enabled and self-managed `CookieStore` (aka cookie jar) will silently replace explicitly defined `Cookie`s with any that have the same name from the cookie jar. For services that operate with multiple users, this can result in one user's `Cookie` being used for another user's requests.\n\n### Details\n\nThis issue is described without security warnings here:\n\nhttps://github.com/AsyncHttpClient/async-http-client/issues/1964\n\nA PR to fix this issue has been made:\n\nhttps://github.com/AsyncHttpClient/async-http-client/pull/2033\n\n### PoC\n\n1. Add an auth `Cookie` to the `CookieStore`\n    - This is identical to receiving an HTTP response that uses `Set-Cookie`, as shown in issue #1964 above.\n2. Handle a different user's request where the same `Cookie` is provided as a passthrough, like a JWT, and attempt to use it by explicitly providing it.\n3. Observe that the user's cookie in step 2 is passed as the Cookie in step 1.\n\n### Impact\n\nThis is generally going to be a problem for developers of backend services that implement third party auth features and use other features like token refresh. The moment a third party service responds by _setting_ a cookie in the response, the `CookieStore` will effectively break almost every follow-up request (hopefully by being rejected, but possibly by revealing a different user's information).\n\nIf your service sets cookies based on the response that happens here, it's possible to lead to even greater levels of exposure.\n\n### Workaroud\n\nYou can avoid this issue by disabling the `CookieStore` during client creation:\n\n```java\nDefaultAsyncHttpClientConfig.Builder clientBuilder = Dsl.config()\n .setCookieStore(null)\n // other configuration\n ;\n```",
   "severity": [
     {
       "type": "CVSS_V4",