Tls protocol configured with quarkus.http.ssl.protocols is not enforced, client can enforce weaker supported tls protocol
CVE-2023-2974
8.1HIGH
Summary
A configuration flaw exists in the quarkus-core TLS protocol implementation that permits clients to select a weaker supported TLS version when the server should enforce strict protocol levels. This misconfiguration can expose systems to potential interception and downgrade attacks, affecting the overall integrity of data transmitted over secure channels. Proper enforcement of the TLS protocol settings is required to mitigate the risk associated with this vulnerability.
Affected Version(s)
Quarkus 2.13.8
References
CVSS V3.1
Score:
8.1
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged
Timeline
Vulnerability published
Vulnerability Reserved
Credit
This issue was discovered by Alexander Schwartz (Red Hat).