Quarkus: http security policy bypass
CVE-2023-4853

8.1HIGH

Key Information:

Vendor

Red Hat
Status
Openshift Serverless 1 On Rhel 8
Red Hat Build Of Optaplanner 8
Red Hat Build Of Quarkus 2.13.8.sp2
Red Hat Camel Extensions For Quarkus 2.13.3-1
Vendor
CVE Published:
20 September 2023

What is CVE-2023-4853?

A vulnerability in Quarkus has been identified where HTTP security policies fail to correctly sanitize certain character permutations in incoming requests. This flaw may lead to the incorrect evaluation of permissions, enabling an attacker to circumvent the security policy. Such exploitation could allow unauthorized access to sensitive endpoints and potentially trigger a denial of service.

Affected Version(s)

Openshift Serverless 1 on RHEL 8 0:1.9.2-3.el8

Red Hat build of Quarkus 2.13.8.SP2 2.13.8.Final-redhat-00005

Red Hat build of Quarkus 2.13.8.SP2 2.13.8.Final-redhat-00005

References

https://access.redhat.com/errata/RHSA-2023:5170
vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2023:5310
vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2023:5337
vendor-advisoryx_refsource_REDHAT

CVSS V3.1

Score:
8.1
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.