CVE-2024-44575 in RELY-PCIe
Summary
by MITRE • 09/11/2024
RELY-PCIe v22.2.1 to v23.1.0 does not set the Secure attribute for sensitive cookies in HTTPS sessions, which could cause the user agent to send those cookies in cleartext over an HTTP session.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 04/28/2025
The vulnerability identified as CVE-2024-44575 affects RELY-PCIe software versions between v22.2.1 and v23.1.0, representing a critical security flaw in cookie handling mechanisms. This issue manifests when the application fails to properly configure the Secure attribute for cookies that are transmitted during HTTPS sessions, creating a dangerous scenario where sensitive authentication tokens and session identifiers could be exposed to potential attackers. The flaw essentially undermines the fundamental security principles of secure cookie transmission and demonstrates poor implementation of web application security practices. The vulnerability stems from inadequate server-side cookie configuration where the application does not enforce the Secure flag on cookies that should only be transmitted over encrypted connections, leaving session management exposed to man-in-the-middle attacks and session hijacking attempts.
The technical root cause of this vulnerability aligns with CWE-614, which specifically addresses the improper handling of cookies with the Secure attribute, and relates to CWE-310, which covers cryptographic issues in cookie handling. This flaw operates at the application layer and represents a failure in secure communication protocols where the web application does not properly enforce transport layer security for session management components. The vulnerability creates a direct pathway for attackers to intercept sensitive cookies when users navigate between HTTP and HTTPS contexts, particularly when the application fails to redirect users properly or when mixed content scenarios occur. The absence of the Secure attribute means that even if the initial connection was encrypted, subsequent requests over unencrypted channels could still transmit these cookies, effectively nullifying the security benefits of HTTPS.
The operational impact of CVE-2024-44575 is significant and multifaceted, as it enables attackers to potentially hijack user sessions, gain unauthorized access to sensitive systems, and perform privilege escalation attacks. When cookies lack the Secure attribute, they become vulnerable to interception during network traffic analysis, particularly in environments where attackers can monitor network communications or when users access systems through unsecured networks such as public wifi. This vulnerability particularly affects applications that rely on persistent session management and authentication tokens, as the exposure of these credentials could lead to complete system compromise. The impact extends beyond simple session theft to include potential data breaches, unauthorized system modifications, and the ability to impersonate legitimate users within the RELY-PCIe environment. The vulnerability creates an attack surface that aligns with ATT&CK technique T1566, specifically focusing on credential access through unsecured network communications.
Organizations utilizing affected RELY-PCIe versions should immediately implement mitigation strategies including updating to the latest available version that addresses this vulnerability, implementing proper cookie configuration policies, and conducting comprehensive security assessments of their web applications. The recommended remediation involves ensuring that all sensitive cookies are explicitly configured with the Secure attribute and that applications enforce proper HTTPS-only cookie transmission. Additional mitigations include implementing HSTS (HTTP Strict Transport Security) headers, configuring proper redirect rules to ensure consistent HTTPS usage, and conducting regular security audits of cookie handling mechanisms. Network administrators should also consider implementing additional monitoring and detection capabilities to identify potential cookie interception attempts. The vulnerability demonstrates the critical importance of adhering to secure coding practices and proper security configuration management as outlined in various security standards including OWASP Top Ten and NIST cybersecurity frameworks, emphasizing the need for comprehensive security testing and validation of web application components.