Tls protocol configured with quarkus.http.ssl.protocols is not enforced, client can enforce weaker supported tls protocol
CVE-2023-2974

8.1HIGH

Key Information:

Vendor
Red Hat
Status
Quarkus
Red Hat build of Quarkus
Vendor
CVE Published:
4 July 2023

Summary

A configuration flaw exists in the quarkus-core TLS protocol implementation that permits clients to select a weaker supported TLS version when the server should enforce strict protocol levels. This misconfiguration can expose systems to potential interception and downgrade attacks, affecting the overall integrity of data transmitted over secure channels. Proper enforcement of the TLS protocol settings is required to mitigate the risk associated with this vulnerability.

Affected Version(s)

Quarkus 2.13.8

References

https://access.redhat.com/errata/RHSA-2023:3809
vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/security/cve/CVE-2023-2974
vdb-entryx_refsource_REDHAT
https://bugzilla.redhat.com/show_bug.cgi?id=2211026
issue-trackingx_refsource_REDHAT

CVSS V3.1

Score:
8.1
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

This issue was discovered by Alexander Schwartz (Red Hat).
.