Vulnerabilites related to Red Hat - RHINT Service Registry 2.5.4 GA
cve-2023-1584
Vulnerability from cvelistv5
Published
2023-10-04 10:47
Modified
2024-08-02 05:57
Severity ?
EPSS score ?
Summary
A flaw was found in Quarkus. Quarkus OIDC can leak both ID and access tokens in the authorization code flow when an insecure HTTP protocol is used, which can allow attackers to access sensitive user data directly from the ID token or by using the access token to access user data from OIDC provider services. Please note that passwords are not stored in access tokens.
References
| ▼ | URL | Tags |
|---|---|---|
| https://access.redhat.com/errata/RHSA-2023:3809 | vendor-advisory, x_refsource_REDHAT | |
| https://access.redhat.com/errata/RHSA-2023:7653 | vendor-advisory, x_refsource_REDHAT | |
| https://access.redhat.com/security/cve/CVE-2023-1584 | vdb-entry, x_refsource_REDHAT | |
| https://bugzilla.redhat.com/show_bug.cgi?id=2180886 | issue-tracking, x_refsource_REDHAT | |
| https://github.com/quarkusio/quarkus/pull/32192 | ||
| https://github.com/quarkusio/quarkus/pull/33414 |
Impacted products
| Vendor | Product | Version | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ▼ | ||||||||||||||
|
||||||||||||||
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T05:57:23.278Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { name: "RHSA-2023:3809", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2023:3809", }, { name: "RHSA-2023:7653", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2023:7653", }, { tags: [ "vdb-entry", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/security/cve/CVE-2023-1584", }, { name: "RHBZ#2180886", tags: [ "issue-tracking", "x_refsource_REDHAT", "x_transferred", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=2180886", }, { tags: [ "x_transferred", ], url: "https://github.com/quarkusio/quarkus/pull/32192", }, { tags: [ "x_transferred", ], url: "https://github.com/quarkusio/quarkus/pull/33414", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { collectionURL: "https://mvnrepository.com/artifact/io.quarkus", packageName: "quarkus-oidc", versions: [ { status: "unaffected", version: "3.1.0.CR1", }, ], }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:quarkus:2.13", ], defaultStatus: "affected", packageName: "io.quarkus/quarkus-oidc", product: "Red Hat build of Quarkus 2.13.8.Final", vendor: "Red Hat", versions: [ { lessThan: "*", status: "unaffected", version: "2.13.8.Final-redhat-00004", versionType: "rpm", }, ], }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:service_registry:2.5", ], defaultStatus: "unaffected", packageName: "quarkus-oidc", product: "RHINT Service Registry 2.5.4 GA", vendor: "Red Hat", }, ], credits: [ { lang: "en", value: "This issue was discovered by Paulo Lopes (Red Hat).", }, ], datePublic: "2023-03-22T00:00:00+00:00", descriptions: [ { lang: "en", value: "A flaw was found in Quarkus. Quarkus OIDC can leak both ID and access tokens in the authorization code flow when an insecure HTTP protocol is used, which can allow attackers to access sensitive user data directly from the ID token or by using the access token to access user data from OIDC provider services. Please note that passwords are not stored in access tokens.", }, ], metrics: [ { other: { content: { namespace: "https://access.redhat.com/security/updates/classification/", value: "Low", }, type: "Red Hat severity rating", }, }, { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", version: "3.1", }, format: "CVSS", }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-200", description: "Exposure of Sensitive Information to an Unauthorized Actor", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2024-05-03T15:32:34.371Z", orgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", shortName: "redhat", }, references: [ { name: "RHSA-2023:3809", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2023:3809", }, { name: "RHSA-2023:7653", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2023:7653", }, { tags: [ "vdb-entry", "x_refsource_REDHAT", ], url: "https://access.redhat.com/security/cve/CVE-2023-1584", }, { name: "RHBZ#2180886", tags: [ "issue-tracking", "x_refsource_REDHAT", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=2180886", }, { url: "https://github.com/quarkusio/quarkus/pull/32192", }, { url: "https://github.com/quarkusio/quarkus/pull/33414", }, ], timeline: [ { lang: "en", time: "2023-03-22T00:00:00+00:00", value: "Reported to Red Hat.", }, { lang: "en", time: "2023-03-22T00:00:00+00:00", value: "Made public.", }, ], title: "Quarkus-oidc: id and access tokens leak via the authorization code flow", x_redhatCweChain: "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor", }, }, cveMetadata: { assignerOrgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", assignerShortName: "redhat", cveId: "CVE-2023-1584", datePublished: "2023-10-04T10:47:37.831Z", dateReserved: "2023-03-22T20:15:15.323Z", dateUpdated: "2024-08-02T05:57:23.278Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2023-4853
Vulnerability from cvelistv5
Published
2023-09-20 09:47
Modified
2024-11-23 01:02
Severity ?
EPSS score ?
Summary
A flaw was found in Quarkus where HTTP security policies are not sanitizing certain character permutations correctly when accepting requests, resulting in incorrect evaluation of permissions. This issue could allow an attacker to bypass the security policy altogether, resulting in unauthorized endpoint access and possibly a denial of service.
References
Impacted products
| Vendor | Product | Version | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ▼ | Red Hat | Openshift Serverless 1 on RHEL 8 |
Unaffected: 0:1.9.2-3.el8 < * cpe:/a:redhat:serverless:1.0::el8 |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T07:38:00.803Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { name: "RHSA-2023:5170", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2023:5170", }, { name: "RHSA-2023:5310", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2023:5310", }, { name: "RHSA-2023:5337", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2023:5337", }, { name: "RHSA-2023:5446", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2023:5446", }, { name: "RHSA-2023:5479", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2023:5479", }, { name: "RHSA-2023:5480", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2023:5480", }, { name: "RHSA-2023:6107", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2023:6107", }, { name: "RHSA-2023:6112", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2023:6112", }, { name: "RHSA-2023:7653", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2023:7653", }, { tags: [ "vdb-entry", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/security/cve/CVE-2023-4853", }, { name: "RHSB-2023-002", tags: [ "technical-description", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/security/vulnerabilities/RHSB-2023-002", }, { name: "RHBZ#2238034", tags: [ "issue-tracking", "x_refsource_REDHAT", "x_transferred", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=2238034", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:serverless:1.0::el8", ], defaultStatus: "affected", packageName: "openshift-serverless-clients", product: "Openshift Serverless 1 on RHEL 8", vendor: "Red Hat", versions: [ { lessThan: "*", status: "unaffected", version: "0:1.9.2-3.el8", versionType: "rpm", }, ], }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:optaplanner:::el6", ], defaultStatus: "unaffected", packageName: "quarkus-vertx-http", product: "Red Hat build of OptaPlanner 8", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:quarkus:2.13", ], defaultStatus: "affected", packageName: "io.quarkus/quarkus-keycloak-authorization", product: "Red Hat build of Quarkus 2.13.8.SP2", vendor: "Red Hat", versions: [ { lessThan: "*", status: "unaffected", version: "2.13.8.Final-redhat-00005", versionType: "rpm", }, ], }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:quarkus:2.13", ], defaultStatus: "affected", packageName: "io.quarkus/quarkus-undertow", product: "Red Hat build of Quarkus 2.13.8.SP2", vendor: "Red Hat", versions: [ { lessThan: "*", status: "unaffected", version: "2.13.8.Final-redhat-00005", versionType: "rpm", }, ], }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:quarkus:2.13", ], defaultStatus: "affected", packageName: "io.quarkus/quarkus-vertx-http", product: "Red Hat build of Quarkus 2.13.8.SP2", vendor: "Red Hat", versions: [ { lessThan: "*", status: "unaffected", version: "2.13.8.Final-redhat-00005", versionType: "rpm", }, ], }, { collectionURL: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html", cpes: [ "cpe:/a:redhat:camel_quarkus:2.13", ], defaultStatus: "unaffected", packageName: "quarkus-vertx-http", product: "Red Hat Camel Extensions for Quarkus 2.13.3-1", vendor: "Red Hat", }, { collectionURL: "https://catalog.redhat.com/software/containers/", cpes: [ "cpe:/a:redhat:openshift_serverless:1.30::el8", ], defaultStatus: "affected", packageName: "openshift-serverless-1/client-kn-rhel8", product: "Red Hat OpenShift Serverless 1.30", vendor: "Red Hat", versions: [ { lessThan: "*", status: "unaffected", version: "1.9.2-3", versionType: "rpm", }, ], }, { collectionURL: "https://catalog.redhat.com/software/containers/", cpes: [ "cpe:/a:redhat:openshift_serverless:1.30::el8", ], defaultStatus: "affected", packageName: "openshift-serverless-1/ingress-rhel8-operator", product: "Red Hat OpenShift Serverless 1.30", vendor: "Red Hat", versions: [ { lessThan: "*", status: "unaffected", version: "1.30.1-1", versionType: "rpm", }, ], }, { collectionURL: "https://catalog.redhat.com/software/containers/", cpes: [ "cpe:/a:redhat:openshift_serverless:1.30::el8", ], defaultStatus: "affected", packageName: "openshift-serverless-1/knative-rhel8-operator", product: "Red Hat OpenShift Serverless 1.30", vendor: "Red Hat", versions: [ { lessThan: "*", status: "unaffected", version: "1.30.1-1", versionType: "rpm", }, ], }, { collectionURL: "https://catalog.redhat.com/software/containers/", cpes: [ "cpe:/a:redhat:openshift_serverless:1.30::el8", ], defaultStatus: "affected", packageName: "openshift-serverless-1/kn-cli-artifacts-rhel8", product: "Red Hat OpenShift Serverless 1.30", vendor: "Red Hat", versions: [ { lessThan: "*", status: "unaffected", version: "1.9.2-3", versionType: "rpm", }, ], }, { collectionURL: "https://catalog.redhat.com/software/containers/", cpes: [ "cpe:/a:redhat:openshift_serverless:1.30::el8", ], defaultStatus: "affected", packageName: "openshift-serverless-1/serverless-operator-bundle", product: "Red Hat OpenShift Serverless 1.30", vendor: "Red Hat", versions: [ { lessThan: "*", status: "unaffected", version: "1.30.1-1", versionType: "rpm", }, ], }, { collectionURL: "https://catalog.redhat.com/software/containers/", cpes: [ "cpe:/a:redhat:openshift_serverless:1.30::el8", ], defaultStatus: "affected", packageName: "openshift-serverless-1/serverless-rhel8-operator", product: "Red Hat OpenShift Serverless 1.30", vendor: "Red Hat", versions: [ { lessThan: "*", status: "unaffected", version: "1.30.1-1", versionType: "rpm", }, ], }, { collectionURL: "https://catalog.redhat.com/software/containers/", cpes: [ "cpe:/a:redhat:openshift_serverless:1.30::el8", ], defaultStatus: "affected", packageName: "openshift-serverless-1/svls-must-gather-rhel8", product: "Red Hat OpenShift Serverless 1.30", vendor: "Red Hat", versions: [ { lessThan: "*", status: "unaffected", version: "1.30.1-1", versionType: "rpm", }, ], }, { collectionURL: "https://catalog.redhat.com/software/containers/", cpes: [ "cpe:/a:redhat:openshift_serverless:1.30::el8", ], defaultStatus: "affected", packageName: "openshift-serverless-1-tech-preview/logic-data-index-ephemeral-rhel8", product: "Red Hat OpenShift Serverless 1.30", vendor: "Red Hat", versions: [ { lessThan: "*", status: "unaffected", version: "1.30.0-5", versionType: "rpm", }, ], }, { collectionURL: "https://catalog.redhat.com/software/containers/", cpes: [ "cpe:/a:redhat:openshift_serverless:1.30::el8", ], defaultStatus: "affected", packageName: "openshift-serverless-1-tech-preview/logic-swf-builder-rhel8", product: "Red Hat OpenShift Serverless 1.30", vendor: "Red Hat", versions: [ { lessThan: "*", status: "unaffected", version: "1.30.0-6", versionType: "rpm", }, ], }, { collectionURL: "https://catalog.redhat.com/software/containers/", cpes: [ "cpe:/a:redhat:openshift_serverless:1.30::el8", ], defaultStatus: "affected", packageName: "openshift-serverless-1-tech-preview/logic-swf-devmode-rhel8", product: "Red Hat OpenShift Serverless 1.30", vendor: "Red Hat", versions: [ { lessThan: "*", status: "unaffected", version: "1.30.0-6", versionType: "rpm", }, ], }, { collectionURL: "https://catalog.redhat.com/software/containers/", cpes: [ "cpe:/a:redhat:rhosemc:1.0::el8", ], defaultStatus: "affected", packageName: "rhpam-7/rhpam-kogito-builder-rhel8", product: "RHEL-8 based Middleware Containers", vendor: "Red Hat", versions: [ { lessThan: "*", status: "unaffected", version: "7.13.4-3", versionType: "rpm", }, ], }, { collectionURL: "https://catalog.redhat.com/software/containers/", cpes: [ "cpe:/a:redhat:rhosemc:1.0::el8", ], defaultStatus: "affected", packageName: "rhpam-7/rhpam-kogito-rhel8-operator", product: "RHEL-8 based Middleware Containers", vendor: "Red Hat", versions: [ { lessThan: "*", status: "unaffected", version: "7.13.4-2", versionType: "rpm", }, ], }, { collectionURL: "https://catalog.redhat.com/software/containers/", cpes: [ "cpe:/a:redhat:rhosemc:1.0::el8", ], defaultStatus: "affected", packageName: "rhpam-7/rhpam-kogito-rhel8-operator-bundle", product: "RHEL-8 based Middleware Containers", vendor: "Red Hat", versions: [ { lessThan: "*", status: "unaffected", version: "7.13.4-2", versionType: "rpm", }, ], }, { collectionURL: "https://catalog.redhat.com/software/containers/", cpes: [ "cpe:/a:redhat:rhosemc:1.0::el8", ], defaultStatus: "affected", packageName: "rhpam-7/rhpam-kogito-runtime-jvm-rhel8", product: "RHEL-8 based Middleware Containers", vendor: "Red Hat", versions: [ { lessThan: "*", status: "unaffected", version: "7.13.4-3", versionType: "rpm", }, ], }, { collectionURL: "https://catalog.redhat.com/software/containers/", cpes: [ "cpe:/a:redhat:rhosemc:1.0::el8", ], defaultStatus: "affected", packageName: "rhpam-7-tech-preview/rhpam-kogito-runtime-native-rhel8", product: "RHEL-8 based Middleware Containers", vendor: "Red Hat", versions: [ { lessThan: "*", status: "unaffected", version: "7.13.4-3", versionType: "rpm", }, ], }, { collectionURL: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html", cpes: [ "cpe:/a:redhat:camel_k:1", ], defaultStatus: "unaffected", packageName: "quarkus-vertx-http", product: "RHINT Camel-K-1.10.2", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:service_registry:2.5", ], defaultStatus: "unaffected", packageName: "quarkus-vertx-http", product: "RHINT Service Registry 2.5.4 GA", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:jboss_enterprise_bpms_platform:7.13", ], defaultStatus: "unaffected", product: "RHPAM 7.13.4 async", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:jboss_enterprise_bpms_platform:7", ], defaultStatus: "affected", packageName: "quarkus-vertx-http", product: "Red Hat Process Automation 7", vendor: "Red Hat", }, ], datePublic: "2023-09-08T00:00:00+00:00", descriptions: [ { lang: "en", value: "A flaw was found in Quarkus where HTTP security policies are not sanitizing certain character permutations correctly when accepting requests, resulting in incorrect evaluation of permissions. This issue could allow an attacker to bypass the security policy altogether, resulting in unauthorized endpoint access and possibly a denial of service.", }, ], metrics: [ { other: { content: { namespace: "https://access.redhat.com/security/updates/classification/", value: "Important", }, type: "Red Hat severity rating", }, }, { cvssV3_1: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8.1, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, format: "CVSS", }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-148", description: "Improper Neutralization of Input Leaders", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2024-11-23T01:02:43.871Z", orgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", shortName: "redhat", }, references: [ { name: "RHSA-2023:5170", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2023:5170", }, { name: "RHSA-2023:5310", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2023:5310", }, { name: "RHSA-2023:5337", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2023:5337", }, { name: "RHSA-2023:5446", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2023:5446", }, { name: "RHSA-2023:5479", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2023:5479", }, { name: "RHSA-2023:5480", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2023:5480", }, { name: "RHSA-2023:6107", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2023:6107", }, { name: "RHSA-2023:6112", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2023:6112", }, { name: "RHSA-2023:7653", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2023:7653", }, { tags: [ "vdb-entry", "x_refsource_REDHAT", ], url: "https://access.redhat.com/security/cve/CVE-2023-4853", }, { name: "RHSB-2023-002", tags: [ "technical-description", "x_refsource_REDHAT", ], url: "https://access.redhat.com/security/vulnerabilities/RHSB-2023-002", }, { name: "RHBZ#2238034", tags: [ "issue-tracking", "x_refsource_REDHAT", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=2238034", }, ], timeline: [ { lang: "en", time: "2023-09-08T00:00:00+00:00", value: "Reported to Red Hat.", }, { lang: "en", time: "2023-09-08T00:00:00+00:00", value: "Made public.", }, ], title: "Quarkus: http security policy bypass", workarounds: [ { lang: "en", value: "Use a ‘deny’ wildcard for base paths, then authenticate specifics within that:\n\nExamples:\n```\ndeny: /*\nauthenticated: /services/*\n```\nor\n```\ndeny: /services/*\nroles-allowed: /services/rbac/*\n```\n\nNOTE: Products are only vulnerable if they use (or allow use of) path-based HTTP policy configuration. Products may also be affected–shipping the component in question–without being vulnerable (“affected at reduced impact”).\n\nSee https://access.redhat.com/security/vulnerabilities/RHSB-2023-002 for more detailed mitigations.", }, ], x_redhatCweChain: "CWE-148: Improper Neutralization of Input Leaders", }, }, cveMetadata: { assignerOrgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", assignerShortName: "redhat", cveId: "CVE-2023-4853", datePublished: "2023-09-20T09:47:32.150Z", dateReserved: "2023-09-08T16:10:38.379Z", dateUpdated: "2024-11-23T01:02:43.871Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }