CVE-2024-44575 identifies a security vulnerability in the RELY-PCIe software, specifically versions 22.2.1 through 23.1.0. The issue arises because the software does not set the Secure attribute on sensitive cookies during HTTPS sessions. The Secure attribute instructs browsers to only send cookies over encrypted HTTPS connections, preventing exposure over unencrypted HTTP. Without this attribute, user agents may inadvertently transmit these cookies over HTTP, potentially exposing them to network attackers capable of intercepting traffic. This vulnerability is categorized under CWE-732, which relates to incorrect permission assignment for critical resources. The CVSS 3.1 base score is 3.7 (low), with the vector indicating network attack vector (AV:N), high attack complexity (AC:H), no privileges required (PR:N), no user interaction (UI:N), unchanged scope (S:U), and low confidentiality impact (C:L). There are no known exploits in the wild, and no patches have been linked yet. The vulnerability primarily threatens confidentiality by risking cookie theft, which could lead to session hijacking or unauthorized access if attackers capture these cookies. However, the high attack complexity and lack of known exploits reduce immediate risk. The vulnerability affects all deployments of RELY-PCIe within the specified versions that handle sensitive cookies without the Secure attribute. This flaw underscores the importance of secure cookie attributes in protecting session data and preventing man-in-the-middle attacks.

The primary impact of CVE-2024-44575 is the potential exposure of sensitive cookies over unencrypted HTTP connections, which compromises confidentiality. Attackers positioned on the same network path could intercept these cookies, potentially leading to session hijacking or unauthorized access to user accounts or services. However, the vulnerability does not affect integrity or availability, and exploitation requires the attacker to be able to intercept network traffic, which may limit the attack surface. The high attack complexity further reduces the likelihood of successful exploitation. Organizations relying on RELY-PCIe for critical infrastructure or sensitive applications could face increased risk of data leakage if this vulnerability is not addressed. Although no known exploits exist currently, the vulnerability could be leveraged in targeted attacks, especially in environments where mixed HTTP/HTTPS traffic is common or where network controls are weak. The absence of the Secure attribute on cookies is a fundamental security misconfiguration that can undermine otherwise secure HTTPS sessions.

To mitigate CVE-2024-44575, organizations should immediately review and update their RELY-PCIe deployments to ensure that all sensitive cookies have the Secure attribute set. This may require applying patches or configuration changes once available from the vendor. In the interim, network administrators should enforce HTTPS-only policies and consider implementing HTTP Strict Transport Security (HSTS) to prevent downgrade to HTTP. Additionally, monitoring network traffic for unencrypted cookie transmission can help detect potential exploitation attempts. Segmentation and encryption of internal networks can reduce the risk of interception. Organizations should also audit web application and infrastructure configurations to ensure compliance with secure cookie practices, including setting HttpOnly and SameSite attributes where appropriate. Regular security assessments and penetration testing can help identify any residual risks related to cookie handling. Finally, educating developers and administrators about secure cookie management is essential to prevent similar vulnerabilities.