Tls protocol configured with quarkus.http.ssl.protocols is not enforced, client can enforce weaker supported tls protocol
CVE-2023-2974

8.1HIGH

Key Information:

Vendor
Red Hat
Vendor
CVE Published:
4 July 2023

Summary

A configuration flaw exists in the quarkus-core TLS protocol implementation that permits clients to select a weaker supported TLS version when the server should enforce strict protocol levels. This misconfiguration can expose systems to potential interception and downgrade attacks, affecting the overall integrity of data transmitted over secure channels. Proper enforcement of the TLS protocol settings is required to mitigate the risk associated with this vulnerability.

Affected Version(s)

Quarkus 2.13.8

References

CVSS V3.1

Score:
8.1
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

This issue was discovered by Alexander Schwartz (Red Hat).
.