Id and access tokens leak via the authorization code flow
CVE-2023-1584

7.5HIGH

Key Information:

Vendor
Red Hat
Status
quarkus-oidc
Red Hat build of Quarkus
Red Hat Integration Service Registry
Vendor
CVE Published:
4 October 2023

Summary

A security flaw in Quarkus OIDC has been identified, allowing the potential leakage of ID and access tokens when utilizing an insecure HTTP protocol during the authorization code flow. This vulnerability creates avenues for attackers to gain access to sensitive user data either directly from the ID token or by exploiting the access token to interact with OIDC provider services. It is important to note that the access tokens do not store passwords, yet their exposure could still result in significant privacy and security issues.

Affected Version(s)

quarkus-oidc 3.1.0.CR1

References

https://access.redhat.com/errata/RHSA-2023:3809
vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/security/cve/CVE-2023-1584
vdb-entryx_refsource_REDHAT
https://bugzilla.redhat.com/show_bug.cgi?id=2180886
issue-trackingx_refsource_REDHAT

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Collectors

NVD DatabaseMitre Database

Credit

This issue was discovered by Paulo Lopes (Red Hat).
.