### #AsyncHttpClient #CookieVulnerability #JavaSecurity
Summary: A critical vulnerability (CVE-2024-53990) in the AsyncHttpClient library could allow attackers to exploit user sessions, leading to unauthorized access to sensitive information. This issue arises from the library’s CookieStore mishandling cookies, posing significant risks in multi-user environments.
Threat Actor: Unknown | unknown
Victim: Affected Applications | affected applications
Key Point :
- Vulnerability CVE-2024-53990 has a CVSS score of 9.2, indicating critical severity.
- The issue arises from the CookieStore replacing explicitly defined cookies with those from its own store.
- This behavior can lead to unauthorized access in multi-user environments, compromising user sessions.
- Affected version: AsyncHttpClient 3.0.0; users are advised to upgrade to version 3.0.1.
- Discovered and reported by security researcher Chris Earle.
A critical severity vulnerability (CVE-2024-53990) has been discovered in the AsyncHttpClient (AHC) library, a popular Java library used for making asynchronous HTTP requests. This vulnerability, with a CVSS score of 9.2, could allow attackers to exploit user sessions and potentially gain unauthorized access to sensitive information.
The vulnerability stems from how the libraryβs CookieStore handles cookies. According to the security advisory, βthe automatically enabled and self-managed CookieStore (aka cookie jar) will silently replace explicitly defined Cookies with any that have the same name from the cookie jar.β
In simpler terms, when an application using AHC makes an HTTP request with a specific cookie, the CookieStore might swap that cookie with a different one from its own store, even if the cookies have the same name. This behavior can be particularly dangerous in multi-user environments where one userβs cookie could be inadvertently used for another userβs request.
This vulnerability poses a significant risk to applications that rely on AHC for handling user authentication and authorization, especially those that interact with third-party services. As the advisory explains, βThe moment a third party service responds by setting a cookie in the response, the CookieStore will effectively break almost every follow-up request (hopefully by being rejected, but possibly by revealing a different userβs information).β
The vulnerability affects AHC version 3.0.0.
Security researcher Chris Earle has been credited with discovering and reporting this vulnerability.
Developers and organizations using AHC in their applications are strongly advised to upgrade to the patched version 3.0.1 immediately.