Tls protocol configured with quarkus.http.ssl.protocols is not enforced, client can enforce weaker supported tls protocol
CVE-2023-2974

6.5MEDIUM

Key Information:

Vendor

Red Hat
Status
Red Hat Build Of Quarkus 2.13.8.final
Vendor
CVE Published:
4 July 2023

What is CVE-2023-2974?

A configuration flaw exists in the quarkus-core TLS protocol implementation that permits clients to select a weaker supported TLS version when the server should enforce strict protocol levels. This misconfiguration can expose systems to potential interception and downgrade attacks, affecting the overall integrity of data transmitted over secure channels. Proper enforcement of the TLS protocol settings is required to mitigate the risk associated with this vulnerability.

Affected Version(s)

Red Hat build of Quarkus 2.13.8.Final 2.13.8.Final-redhat-00004

Red Hat build of Quarkus 2.13.8.Final 2.13.8.Final-redhat-00004

References

https://access.redhat.com/errata/RHSA-2023:3809
vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/security/cve/CVE-2023-2974
vdb-entryx_refsource_REDHAT
https://bugzilla.redhat.com/show_bug.cgi?id=2211026
issue-trackingx_refsource_REDHAT

CVSS V3.1

Score:
6.5
Severity:
MEDIUM
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

This issue was discovered by Alexander Schwartz (Red Hat).
.