csaf_redhat - rhsa-2023

rhsa-2023_6107

Vulnerability from csaf_redhat

Published

2023-10-25 12:34

Modified

2024-11-06 04:00

Summary

Red Hat Security Advisory: Updated Kogito for Red Hat Process Automation Manager 7.13.4 SP1 Images

Notes

Topic

A Kogito update is now available for Red Hat Process Automation Manager, including images for Red Hat OpenShift Container Platform. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Details

Red Hat Process Automation Manager is an open source business process management suite that combines process management and decision service management and enables business and IT users to create, manage, validate, and deploy process applications and decision services. This release includes security fixes. Security Fix(es): * quarkus: HTTP security policy bypass (CVE-2023-4853) A Red Hat Security Bulletin which addresses further details about this flaw is available in the References section. For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Important"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "A Kogito update is now available for Red Hat Process Automation Manager, including images for Red Hat OpenShift Container Platform.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "Red Hat Process Automation Manager is an open source business process management suite that combines process management and decision service management and enables business and IT users to create, manage, validate, and deploy process applications and decision services.\n\nThis release includes security fixes.\n\nSecurity Fix(es):\n\n* quarkus: HTTP security policy bypass (CVE-2023-4853)\n\nA Red Hat Security Bulletin which addresses further details about this flaw is available in the References section.\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2023:6107",
        "url": "https://access.redhat.com/errata/RHSA-2023:6107"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/#important",
        "url": "https://access.redhat.com/security/updates/classification/#important"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/vulnerabilities/RHSB-2023-002",
        "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2023-002"
      },
      {
        "category": "external",
        "summary": "2238034",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2238034"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2023/rhsa-2023_6107.json"
      }
    ],
    "title": "Red Hat Security Advisory: Updated Kogito for Red Hat Process Automation Manager 7.13.4 SP1 Images",
    "tracking": {
      "current_release_date": "2024-11-06T04:00:50+00:00",
      "generator": {
        "date": "2024-11-06T04:00:50+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.1.1"
        }
      },
      "id": "RHSA-2023:6107",
      "initial_release_date": "2023-10-25T12:34:17+00:00",
      "revision_history": [
        {
          "date": "2023-10-25T12:34:17+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2023-10-25T12:34:17+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2024-11-06T04:00:50+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Middleware Containers for OpenShift",
                "product": {
                  "name": "Middleware Containers for OpenShift",
                  "product_id": "8Base-RHOSE-Middleware",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:rhosemc:1.0::el8"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat OpenShift Enterprise"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "rhpam-7/rhpam-kogito-builder-rhel8@sha256:ba92f9f2163a29eb956e445a3687e83c54838fae6098b81bef980fbb27a2c0b5_ppc64le",
                "product": {
                  "name": "rhpam-7/rhpam-kogito-builder-rhel8@sha256:ba92f9f2163a29eb956e445a3687e83c54838fae6098b81bef980fbb27a2c0b5_ppc64le",
                  "product_id": "rhpam-7/rhpam-kogito-builder-rhel8@sha256:ba92f9f2163a29eb956e445a3687e83c54838fae6098b81bef980fbb27a2c0b5_ppc64le",
                  "product_identification_helper": {
                    "purl": "pkg:oci/rhpam-kogito-builder-rhel8@sha256:ba92f9f2163a29eb956e445a3687e83c54838fae6098b81bef980fbb27a2c0b5?arch=ppc64le\u0026repository_url=registry.redhat.io/rhpam-7/rhpam-kogito-builder-rhel8\u0026tag=7.13.4-3"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "rhpam-7/rhpam-kogito-rhel8-operator-bundle@sha256:f84af09c90836c2f4ee93fed624d04478953b4fc70c25eee277373d829101fa6_ppc64le",
                "product": {
                  "name": "rhpam-7/rhpam-kogito-rhel8-operator-bundle@sha256:f84af09c90836c2f4ee93fed624d04478953b4fc70c25eee277373d829101fa6_ppc64le",
                  "product_id": "rhpam-7/rhpam-kogito-rhel8-operator-bundle@sha256:f84af09c90836c2f4ee93fed624d04478953b4fc70c25eee277373d829101fa6_ppc64le",
                  "product_identification_helper": {
                    "purl": "pkg:oci/rhpam-kogito-rhel8-operator-bundle@sha256:f84af09c90836c2f4ee93fed624d04478953b4fc70c25eee277373d829101fa6?arch=ppc64le\u0026repository_url=registry.redhat.io/rhpam-7/rhpam-kogito-rhel8-operator-bundle\u0026tag=7.13.4-2"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "rhpam-7/rhpam-kogito-rhel8-operator@sha256:8ecf3a814085236c5692c18a117a604348172fc2d38566363d16191d52717406_ppc64le",
                "product": {
                  "name": "rhpam-7/rhpam-kogito-rhel8-operator@sha256:8ecf3a814085236c5692c18a117a604348172fc2d38566363d16191d52717406_ppc64le",
                  "product_id": "rhpam-7/rhpam-kogito-rhel8-operator@sha256:8ecf3a814085236c5692c18a117a604348172fc2d38566363d16191d52717406_ppc64le",
                  "product_identification_helper": {
                    "purl": "pkg:oci/rhpam-kogito-rhel8-operator@sha256:8ecf3a814085236c5692c18a117a604348172fc2d38566363d16191d52717406?arch=ppc64le\u0026repository_url=registry.redhat.io/rhpam-7/rhpam-kogito-rhel8-operator\u0026tag=7.13.4-2"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "rhpam-7/rhpam-kogito-runtime-jvm-rhel8@sha256:e525c9934424b2b46a61a3b8d6b1cef7f005c19456e927d544733f66dcfdf064_ppc64le",
                "product": {
                  "name": "rhpam-7/rhpam-kogito-runtime-jvm-rhel8@sha256:e525c9934424b2b46a61a3b8d6b1cef7f005c19456e927d544733f66dcfdf064_ppc64le",
                  "product_id": "rhpam-7/rhpam-kogito-runtime-jvm-rhel8@sha256:e525c9934424b2b46a61a3b8d6b1cef7f005c19456e927d544733f66dcfdf064_ppc64le",
                  "product_identification_helper": {
                    "purl": "pkg:oci/rhpam-kogito-runtime-jvm-rhel8@sha256:e525c9934424b2b46a61a3b8d6b1cef7f005c19456e927d544733f66dcfdf064?arch=ppc64le\u0026repository_url=registry.redhat.io/rhpam-7/rhpam-kogito-runtime-jvm-rhel8\u0026tag=7.13.4-3"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "ppc64le"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "rhpam-7/rhpam-kogito-builder-rhel8@sha256:45b76edfd70a76efb113a5754b72e684aa3093add2db3fac7394a94032723203_amd64",
                "product": {
                  "name": "rhpam-7/rhpam-kogito-builder-rhel8@sha256:45b76edfd70a76efb113a5754b72e684aa3093add2db3fac7394a94032723203_amd64",
                  "product_id": "rhpam-7/rhpam-kogito-builder-rhel8@sha256:45b76edfd70a76efb113a5754b72e684aa3093add2db3fac7394a94032723203_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/rhpam-kogito-builder-rhel8@sha256:45b76edfd70a76efb113a5754b72e684aa3093add2db3fac7394a94032723203?arch=amd64\u0026repository_url=registry.redhat.io/rhpam-7/rhpam-kogito-builder-rhel8\u0026tag=7.13.4-3"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "rhpam-7/rhpam-kogito-rhel8-operator-bundle@sha256:65f4db25e0fa2348279061a29f8f137494918362d152a42946dfc9d8dcb4f343_amd64",
                "product": {
                  "name": "rhpam-7/rhpam-kogito-rhel8-operator-bundle@sha256:65f4db25e0fa2348279061a29f8f137494918362d152a42946dfc9d8dcb4f343_amd64",
                  "product_id": "rhpam-7/rhpam-kogito-rhel8-operator-bundle@sha256:65f4db25e0fa2348279061a29f8f137494918362d152a42946dfc9d8dcb4f343_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/rhpam-kogito-rhel8-operator-bundle@sha256:65f4db25e0fa2348279061a29f8f137494918362d152a42946dfc9d8dcb4f343?arch=amd64\u0026repository_url=registry.redhat.io/rhpam-7/rhpam-kogito-rhel8-operator-bundle\u0026tag=7.13.4-2"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "rhpam-7/rhpam-kogito-rhel8-operator@sha256:dbc35eb75dfe94c46c99d9b45906a86abf895cfba37bb001c11cc463bda3c733_amd64",
                "product": {
                  "name": "rhpam-7/rhpam-kogito-rhel8-operator@sha256:dbc35eb75dfe94c46c99d9b45906a86abf895cfba37bb001c11cc463bda3c733_amd64",
                  "product_id": "rhpam-7/rhpam-kogito-rhel8-operator@sha256:dbc35eb75dfe94c46c99d9b45906a86abf895cfba37bb001c11cc463bda3c733_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/rhpam-kogito-rhel8-operator@sha256:dbc35eb75dfe94c46c99d9b45906a86abf895cfba37bb001c11cc463bda3c733?arch=amd64\u0026repository_url=registry.redhat.io/rhpam-7/rhpam-kogito-rhel8-operator\u0026tag=7.13.4-2"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "rhpam-7/rhpam-kogito-runtime-jvm-rhel8@sha256:62d4cd51c9ed4735a0a7d78668b4b3eeb4db5b625f4f36e125698212321bc9b1_amd64",
                "product": {
                  "name": "rhpam-7/rhpam-kogito-runtime-jvm-rhel8@sha256:62d4cd51c9ed4735a0a7d78668b4b3eeb4db5b625f4f36e125698212321bc9b1_amd64",
                  "product_id": "rhpam-7/rhpam-kogito-runtime-jvm-rhel8@sha256:62d4cd51c9ed4735a0a7d78668b4b3eeb4db5b625f4f36e125698212321bc9b1_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/rhpam-kogito-runtime-jvm-rhel8@sha256:62d4cd51c9ed4735a0a7d78668b4b3eeb4db5b625f4f36e125698212321bc9b1?arch=amd64\u0026repository_url=registry.redhat.io/rhpam-7/rhpam-kogito-runtime-jvm-rhel8\u0026tag=7.13.4-3"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "rhpam-7-tech-preview/rhpam-kogito-runtime-native-rhel8@sha256:9ad109b7163da5f8caaf2b104475004548886d7dbbc9a732425fcafcf41b0ea6_amd64",
                "product": {
                  "name": "rhpam-7-tech-preview/rhpam-kogito-runtime-native-rhel8@sha256:9ad109b7163da5f8caaf2b104475004548886d7dbbc9a732425fcafcf41b0ea6_amd64",
                  "product_id": "rhpam-7-tech-preview/rhpam-kogito-runtime-native-rhel8@sha256:9ad109b7163da5f8caaf2b104475004548886d7dbbc9a732425fcafcf41b0ea6_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/rhpam-kogito-runtime-native-rhel8@sha256:9ad109b7163da5f8caaf2b104475004548886d7dbbc9a732425fcafcf41b0ea6?arch=amd64\u0026repository_url=registry.redhat.io/rhpam-7-tech-preview/rhpam-kogito-runtime-native-rhel8\u0026tag=7.13.4-3"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "amd64"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rhpam-7-tech-preview/rhpam-kogito-runtime-native-rhel8@sha256:9ad109b7163da5f8caaf2b104475004548886d7dbbc9a732425fcafcf41b0ea6_amd64 as a component of Middleware Containers for OpenShift",
          "product_id": "8Base-RHOSE-Middleware:rhpam-7-tech-preview/rhpam-kogito-runtime-native-rhel8@sha256:9ad109b7163da5f8caaf2b104475004548886d7dbbc9a732425fcafcf41b0ea6_amd64"
        },
        "product_reference": "rhpam-7-tech-preview/rhpam-kogito-runtime-native-rhel8@sha256:9ad109b7163da5f8caaf2b104475004548886d7dbbc9a732425fcafcf41b0ea6_amd64",
        "relates_to_product_reference": "8Base-RHOSE-Middleware"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rhpam-7/rhpam-kogito-builder-rhel8@sha256:45b76edfd70a76efb113a5754b72e684aa3093add2db3fac7394a94032723203_amd64 as a component of Middleware Containers for OpenShift",
          "product_id": "8Base-RHOSE-Middleware:rhpam-7/rhpam-kogito-builder-rhel8@sha256:45b76edfd70a76efb113a5754b72e684aa3093add2db3fac7394a94032723203_amd64"
        },
        "product_reference": "rhpam-7/rhpam-kogito-builder-rhel8@sha256:45b76edfd70a76efb113a5754b72e684aa3093add2db3fac7394a94032723203_amd64",
        "relates_to_product_reference": "8Base-RHOSE-Middleware"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rhpam-7/rhpam-kogito-builder-rhel8@sha256:ba92f9f2163a29eb956e445a3687e83c54838fae6098b81bef980fbb27a2c0b5_ppc64le as a component of Middleware Containers for OpenShift",
          "product_id": "8Base-RHOSE-Middleware:rhpam-7/rhpam-kogito-builder-rhel8@sha256:ba92f9f2163a29eb956e445a3687e83c54838fae6098b81bef980fbb27a2c0b5_ppc64le"
        },
        "product_reference": "rhpam-7/rhpam-kogito-builder-rhel8@sha256:ba92f9f2163a29eb956e445a3687e83c54838fae6098b81bef980fbb27a2c0b5_ppc64le",
        "relates_to_product_reference": "8Base-RHOSE-Middleware"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rhpam-7/rhpam-kogito-rhel8-operator-bundle@sha256:65f4db25e0fa2348279061a29f8f137494918362d152a42946dfc9d8dcb4f343_amd64 as a component of Middleware Containers for OpenShift",
          "product_id": "8Base-RHOSE-Middleware:rhpam-7/rhpam-kogito-rhel8-operator-bundle@sha256:65f4db25e0fa2348279061a29f8f137494918362d152a42946dfc9d8dcb4f343_amd64"
        },
        "product_reference": "rhpam-7/rhpam-kogito-rhel8-operator-bundle@sha256:65f4db25e0fa2348279061a29f8f137494918362d152a42946dfc9d8dcb4f343_amd64",
        "relates_to_product_reference": "8Base-RHOSE-Middleware"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rhpam-7/rhpam-kogito-rhel8-operator-bundle@sha256:f84af09c90836c2f4ee93fed624d04478953b4fc70c25eee277373d829101fa6_ppc64le as a component of Middleware Containers for OpenShift",
          "product_id": "8Base-RHOSE-Middleware:rhpam-7/rhpam-kogito-rhel8-operator-bundle@sha256:f84af09c90836c2f4ee93fed624d04478953b4fc70c25eee277373d829101fa6_ppc64le"
        },
        "product_reference": "rhpam-7/rhpam-kogito-rhel8-operator-bundle@sha256:f84af09c90836c2f4ee93fed624d04478953b4fc70c25eee277373d829101fa6_ppc64le",
        "relates_to_product_reference": "8Base-RHOSE-Middleware"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rhpam-7/rhpam-kogito-rhel8-operator@sha256:8ecf3a814085236c5692c18a117a604348172fc2d38566363d16191d52717406_ppc64le as a component of Middleware Containers for OpenShift",
          "product_id": "8Base-RHOSE-Middleware:rhpam-7/rhpam-kogito-rhel8-operator@sha256:8ecf3a814085236c5692c18a117a604348172fc2d38566363d16191d52717406_ppc64le"
        },
        "product_reference": "rhpam-7/rhpam-kogito-rhel8-operator@sha256:8ecf3a814085236c5692c18a117a604348172fc2d38566363d16191d52717406_ppc64le",
        "relates_to_product_reference": "8Base-RHOSE-Middleware"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rhpam-7/rhpam-kogito-rhel8-operator@sha256:dbc35eb75dfe94c46c99d9b45906a86abf895cfba37bb001c11cc463bda3c733_amd64 as a component of Middleware Containers for OpenShift",
          "product_id": "8Base-RHOSE-Middleware:rhpam-7/rhpam-kogito-rhel8-operator@sha256:dbc35eb75dfe94c46c99d9b45906a86abf895cfba37bb001c11cc463bda3c733_amd64"
        },
        "product_reference": "rhpam-7/rhpam-kogito-rhel8-operator@sha256:dbc35eb75dfe94c46c99d9b45906a86abf895cfba37bb001c11cc463bda3c733_amd64",
        "relates_to_product_reference": "8Base-RHOSE-Middleware"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rhpam-7/rhpam-kogito-runtime-jvm-rhel8@sha256:62d4cd51c9ed4735a0a7d78668b4b3eeb4db5b625f4f36e125698212321bc9b1_amd64 as a component of Middleware Containers for OpenShift",
          "product_id": "8Base-RHOSE-Middleware:rhpam-7/rhpam-kogito-runtime-jvm-rhel8@sha256:62d4cd51c9ed4735a0a7d78668b4b3eeb4db5b625f4f36e125698212321bc9b1_amd64"
        },
        "product_reference": "rhpam-7/rhpam-kogito-runtime-jvm-rhel8@sha256:62d4cd51c9ed4735a0a7d78668b4b3eeb4db5b625f4f36e125698212321bc9b1_amd64",
        "relates_to_product_reference": "8Base-RHOSE-Middleware"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rhpam-7/rhpam-kogito-runtime-jvm-rhel8@sha256:e525c9934424b2b46a61a3b8d6b1cef7f005c19456e927d544733f66dcfdf064_ppc64le as a component of Middleware Containers for OpenShift",
          "product_id": "8Base-RHOSE-Middleware:rhpam-7/rhpam-kogito-runtime-jvm-rhel8@sha256:e525c9934424b2b46a61a3b8d6b1cef7f005c19456e927d544733f66dcfdf064_ppc64le"
        },
        "product_reference": "rhpam-7/rhpam-kogito-runtime-jvm-rhel8@sha256:e525c9934424b2b46a61a3b8d6b1cef7f005c19456e927d544733f66dcfdf064_ppc64le",
        "relates_to_product_reference": "8Base-RHOSE-Middleware"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2023-4853",
      "cwe": {
        "id": "CWE-148",
        "name": "Improper Neutralization of Input Leaders"
      },
      "discovery_date": "2023-09-08T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2238034"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in Quarkus where HTTP security policies are not sanitizing certain character permutations correctly when accepting requests, resulting in incorrect evaluation of permissions. This issue could allow an attacker to bypass the security policy altogether, resulting in unauthorized endpoint access and possibly a denial of service.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "quarkus: HTTP security policy bypass",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "8Base-RHOSE-Middleware:rhpam-7-tech-preview/rhpam-kogito-runtime-native-rhel8@sha256:9ad109b7163da5f8caaf2b104475004548886d7dbbc9a732425fcafcf41b0ea6_amd64",
          "8Base-RHOSE-Middleware:rhpam-7/rhpam-kogito-builder-rhel8@sha256:45b76edfd70a76efb113a5754b72e684aa3093add2db3fac7394a94032723203_amd64",
          "8Base-RHOSE-Middleware:rhpam-7/rhpam-kogito-builder-rhel8@sha256:ba92f9f2163a29eb956e445a3687e83c54838fae6098b81bef980fbb27a2c0b5_ppc64le",
          "8Base-RHOSE-Middleware:rhpam-7/rhpam-kogito-rhel8-operator-bundle@sha256:65f4db25e0fa2348279061a29f8f137494918362d152a42946dfc9d8dcb4f343_amd64",
          "8Base-RHOSE-Middleware:rhpam-7/rhpam-kogito-rhel8-operator-bundle@sha256:f84af09c90836c2f4ee93fed624d04478953b4fc70c25eee277373d829101fa6_ppc64le",
          "8Base-RHOSE-Middleware:rhpam-7/rhpam-kogito-rhel8-operator@sha256:8ecf3a814085236c5692c18a117a604348172fc2d38566363d16191d52717406_ppc64le",
          "8Base-RHOSE-Middleware:rhpam-7/rhpam-kogito-rhel8-operator@sha256:dbc35eb75dfe94c46c99d9b45906a86abf895cfba37bb001c11cc463bda3c733_amd64",
          "8Base-RHOSE-Middleware:rhpam-7/rhpam-kogito-runtime-jvm-rhel8@sha256:62d4cd51c9ed4735a0a7d78668b4b3eeb4db5b625f4f36e125698212321bc9b1_amd64",
          "8Base-RHOSE-Middleware:rhpam-7/rhpam-kogito-runtime-jvm-rhel8@sha256:e525c9934424b2b46a61a3b8d6b1cef7f005c19456e927d544733f66dcfdf064_ppc64le"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2023-4853"
        },
        {
          "category": "external",
          "summary": "RHBZ#2238034",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2238034"
        },
        {
          "category": "external",
          "summary": "RHSB-2023-002",
          "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2023-002"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2023-4853",
          "url": "https://www.cve.org/CVERecord?id=CVE-2023-4853"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-4853",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4853"
        }
      ],
      "release_date": "2023-09-08T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2023-10-25T12:34:17+00:00",
          "details": "Updated Red Hat Process Automation Manager 7.13.4 SP1 OpenShift images can be found in the Red Hat Container Catalog.",
          "product_ids": [
            "8Base-RHOSE-Middleware:rhpam-7-tech-preview/rhpam-kogito-runtime-native-rhel8@sha256:9ad109b7163da5f8caaf2b104475004548886d7dbbc9a732425fcafcf41b0ea6_amd64",
            "8Base-RHOSE-Middleware:rhpam-7/rhpam-kogito-builder-rhel8@sha256:45b76edfd70a76efb113a5754b72e684aa3093add2db3fac7394a94032723203_amd64",
            "8Base-RHOSE-Middleware:rhpam-7/rhpam-kogito-builder-rhel8@sha256:ba92f9f2163a29eb956e445a3687e83c54838fae6098b81bef980fbb27a2c0b5_ppc64le",
            "8Base-RHOSE-Middleware:rhpam-7/rhpam-kogito-rhel8-operator-bundle@sha256:65f4db25e0fa2348279061a29f8f137494918362d152a42946dfc9d8dcb4f343_amd64",
            "8Base-RHOSE-Middleware:rhpam-7/rhpam-kogito-rhel8-operator-bundle@sha256:f84af09c90836c2f4ee93fed624d04478953b4fc70c25eee277373d829101fa6_ppc64le",
            "8Base-RHOSE-Middleware:rhpam-7/rhpam-kogito-rhel8-operator@sha256:8ecf3a814085236c5692c18a117a604348172fc2d38566363d16191d52717406_ppc64le",
            "8Base-RHOSE-Middleware:rhpam-7/rhpam-kogito-rhel8-operator@sha256:dbc35eb75dfe94c46c99d9b45906a86abf895cfba37bb001c11cc463bda3c733_amd64",
            "8Base-RHOSE-Middleware:rhpam-7/rhpam-kogito-runtime-jvm-rhel8@sha256:62d4cd51c9ed4735a0a7d78668b4b3eeb4db5b625f4f36e125698212321bc9b1_amd64",
            "8Base-RHOSE-Middleware:rhpam-7/rhpam-kogito-runtime-jvm-rhel8@sha256:e525c9934424b2b46a61a3b8d6b1cef7f005c19456e927d544733f66dcfdf064_ppc64le"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2023:6107"
        },
        {
          "category": "workaround",
          "details": "Use a \u2018deny\u2019 wildcard for base paths, then authenticate specifics within that:\n\nExamples:\n```\ndeny: /*\nauthenticated: /services/*\n```\nor\n```\ndeny: /services/*\nroles-allowed: /services/rbac/*\n```\n\nNOTE: Products are only vulnerable if they use (or allow use of) path-based HTTP policy configuration. Products may also be affected\u2013shipping the component in question\u2013without being vulnerable (\u201caffected at reduced impact\u201d).\n\nSee https://access.redhat.com/security/vulnerabilities/RHSB-2023-002 for more detailed mitigations.",
          "product_ids": [
            "8Base-RHOSE-Middleware:rhpam-7-tech-preview/rhpam-kogito-runtime-native-rhel8@sha256:9ad109b7163da5f8caaf2b104475004548886d7dbbc9a732425fcafcf41b0ea6_amd64",
            "8Base-RHOSE-Middleware:rhpam-7/rhpam-kogito-builder-rhel8@sha256:45b76edfd70a76efb113a5754b72e684aa3093add2db3fac7394a94032723203_amd64",
            "8Base-RHOSE-Middleware:rhpam-7/rhpam-kogito-builder-rhel8@sha256:ba92f9f2163a29eb956e445a3687e83c54838fae6098b81bef980fbb27a2c0b5_ppc64le",
            "8Base-RHOSE-Middleware:rhpam-7/rhpam-kogito-rhel8-operator-bundle@sha256:65f4db25e0fa2348279061a29f8f137494918362d152a42946dfc9d8dcb4f343_amd64",
            "8Base-RHOSE-Middleware:rhpam-7/rhpam-kogito-rhel8-operator-bundle@sha256:f84af09c90836c2f4ee93fed624d04478953b4fc70c25eee277373d829101fa6_ppc64le",
            "8Base-RHOSE-Middleware:rhpam-7/rhpam-kogito-rhel8-operator@sha256:8ecf3a814085236c5692c18a117a604348172fc2d38566363d16191d52717406_ppc64le",
            "8Base-RHOSE-Middleware:rhpam-7/rhpam-kogito-rhel8-operator@sha256:dbc35eb75dfe94c46c99d9b45906a86abf895cfba37bb001c11cc463bda3c733_amd64",
            "8Base-RHOSE-Middleware:rhpam-7/rhpam-kogito-runtime-jvm-rhel8@sha256:62d4cd51c9ed4735a0a7d78668b4b3eeb4db5b625f4f36e125698212321bc9b1_amd64",
            "8Base-RHOSE-Middleware:rhpam-7/rhpam-kogito-runtime-jvm-rhel8@sha256:e525c9934424b2b46a61a3b8d6b1cef7f005c19456e927d544733f66dcfdf064_ppc64le"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "8Base-RHOSE-Middleware:rhpam-7-tech-preview/rhpam-kogito-runtime-native-rhel8@sha256:9ad109b7163da5f8caaf2b104475004548886d7dbbc9a732425fcafcf41b0ea6_amd64",
            "8Base-RHOSE-Middleware:rhpam-7/rhpam-kogito-builder-rhel8@sha256:45b76edfd70a76efb113a5754b72e684aa3093add2db3fac7394a94032723203_amd64",
            "8Base-RHOSE-Middleware:rhpam-7/rhpam-kogito-builder-rhel8@sha256:ba92f9f2163a29eb956e445a3687e83c54838fae6098b81bef980fbb27a2c0b5_ppc64le",
            "8Base-RHOSE-Middleware:rhpam-7/rhpam-kogito-rhel8-operator-bundle@sha256:65f4db25e0fa2348279061a29f8f137494918362d152a42946dfc9d8dcb4f343_amd64",
            "8Base-RHOSE-Middleware:rhpam-7/rhpam-kogito-rhel8-operator-bundle@sha256:f84af09c90836c2f4ee93fed624d04478953b4fc70c25eee277373d829101fa6_ppc64le",
            "8Base-RHOSE-Middleware:rhpam-7/rhpam-kogito-rhel8-operator@sha256:8ecf3a814085236c5692c18a117a604348172fc2d38566363d16191d52717406_ppc64le",
            "8Base-RHOSE-Middleware:rhpam-7/rhpam-kogito-rhel8-operator@sha256:dbc35eb75dfe94c46c99d9b45906a86abf895cfba37bb001c11cc463bda3c733_amd64",
            "8Base-RHOSE-Middleware:rhpam-7/rhpam-kogito-runtime-jvm-rhel8@sha256:62d4cd51c9ed4735a0a7d78668b4b3eeb4db5b625f4f36e125698212321bc9b1_amd64",
            "8Base-RHOSE-Middleware:rhpam-7/rhpam-kogito-runtime-jvm-rhel8@sha256:e525c9934424b2b46a61a3b8d6b1cef7f005c19456e927d544733f66dcfdf064_ppc64le"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "quarkus: HTTP security policy bypass"
    }
  ]
}

cve-2023-4853

Vulnerability from cvelistv5

Published

2023-09-20 09:47

Modified

2024-10-21 00:43

Severity ?

8.1 (High) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Summary

Quarkus: http security policy bypass

References

▼	URL	Tags
	https://access.redhat.com/errata/RHSA-2023:5170	vendor-advisory, x_refsource_REDHAT
	https://access.redhat.com/errata/RHSA-2023:5310	vendor-advisory, x_refsource_REDHAT
	https://access.redhat.com/errata/RHSA-2023:5337	vendor-advisory, x_refsource_REDHAT
	https://access.redhat.com/errata/RHSA-2023:5446	vendor-advisory, x_refsource_REDHAT
	https://access.redhat.com/errata/RHSA-2023:5479	vendor-advisory, x_refsource_REDHAT
	https://access.redhat.com/errata/RHSA-2023:5480	vendor-advisory, x_refsource_REDHAT
	https://access.redhat.com/errata/RHSA-2023:6107	vendor-advisory, x_refsource_REDHAT
	https://access.redhat.com/errata/RHSA-2023:6112	vendor-advisory, x_refsource_REDHAT
	https://access.redhat.com/errata/RHSA-2023:7653	vendor-advisory, x_refsource_REDHAT
	https://access.redhat.com/security/cve/CVE-2023-4853	vdb-entry, x_refsource_REDHAT
	https://access.redhat.com/security/vulnerabilities/RHSB-2023-002	technical-description, x_refsource_REDHAT
	https://bugzilla.redhat.com/show_bug.cgi?id=2238034	issue-tracking, x_refsource_REDHAT

Impacted products

▼	Vendor	Product
	Red Hat	Openshift Serverless 1 on RHEL 8
	Red Hat	Red Hat build of OptaPlanner 8
	Red Hat	Red Hat build of Quarkus 2.13.8.SP2
	Red Hat	Red Hat build of Quarkus 2.13.8.SP2
	Red Hat	Red Hat build of Quarkus 2.13.8.SP2
	Red Hat	Red Hat Camel Extensions for Quarkus 2.13.3-1
	Red Hat	Red Hat OpenShift Serverless 1.30
	Red Hat	Red Hat OpenShift Serverless 1.30
	Red Hat	Red Hat OpenShift Serverless 1.30
	Red Hat	Red Hat OpenShift Serverless 1.30
	Red Hat	Red Hat OpenShift Serverless 1.30
	Red Hat	Red Hat OpenShift Serverless 1.30
	Red Hat	Red Hat OpenShift Serverless 1.30
	Red Hat	Red Hat OpenShift Serverless 1.30
	Red Hat	Red Hat OpenShift Serverless 1.30
	Red Hat	Red Hat OpenShift Serverless 1.30
	Red Hat	RHEL-8 based Middleware Containers
	Red Hat	RHEL-8 based Middleware Containers
	Red Hat	RHEL-8 based Middleware Containers
	Red Hat	RHEL-8 based Middleware Containers
	Red Hat	RHEL-8 based Middleware Containers
	Red Hat	RHINT Camel-K-1.10.2
	Red Hat	RHINT Service Registry 2.5.4 GA
	Red Hat	RHPAM 7.13.4 async
	Red Hat	Red Hat Process Automation 7

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T07:38:00.803Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "RHSA-2023:5170",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2023:5170"
          },
          {
            "name": "RHSA-2023:5310",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2023:5310"
          },
          {
            "name": "RHSA-2023:5337",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2023:5337"
          },
          {
            "name": "RHSA-2023:5446",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2023:5446"
          },
          {
            "name": "RHSA-2023:5479",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2023:5479"
          },
          {
            "name": "RHSA-2023:5480",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2023:5480"
          },
          {
            "name": "RHSA-2023:6107",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2023:6107"
          },
          {
            "name": "RHSA-2023:6112",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2023:6112"
          },
          {
            "name": "RHSA-2023:7653",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2023:7653"
          },
          {
            "tags": [
              "vdb-entry",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/security/cve/CVE-2023-4853"
          },
          {
            "name": "RHSB-2023-002",
            "tags": [
              "technical-description",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2023-002"
          },
          {
            "name": "RHBZ#2238034",
            "tags": [
              "issue-tracking",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2238034"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:serverless:1.0::el8"
          ],
          "defaultStatus": "affected",
          "packageName": "openshift-serverless-clients",
          "product": "Openshift Serverless 1 on RHEL 8",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:1.9.2-3.el8",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:optaplanner:::el6"
          ],
          "defaultStatus": "unaffected",
          "packageName": "quarkus-vertx-http",
          "product": "Red Hat build of OptaPlanner 8",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:quarkus:2.13"
          ],
          "defaultStatus": "affected",
          "packageName": "io.quarkus/quarkus-keycloak-authorization",
          "product": "Red Hat build of Quarkus 2.13.8.SP2",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "2.13.8.Final-redhat-00005",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:quarkus:2.13"
          ],
          "defaultStatus": "affected",
          "packageName": "io.quarkus/quarkus-undertow",
          "product": "Red Hat build of Quarkus 2.13.8.SP2",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "2.13.8.Final-redhat-00005",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:quarkus:2.13"
          ],
          "defaultStatus": "affected",
          "packageName": "io.quarkus/quarkus-vertx-http",
          "product": "Red Hat build of Quarkus 2.13.8.SP2",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "2.13.8.Final-redhat-00005",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html",
          "cpes": [
            "cpe:/a:redhat:camel_quarkus:2.13"
          ],
          "defaultStatus": "unaffected",
          "packageName": "quarkus-vertx-http",
          "product": "Red Hat Camel Extensions for Quarkus 2.13.3-1",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:openshift_serverless:1.30::el8"
          ],
          "defaultStatus": "affected",
          "packageName": "openshift-serverless-1/client-kn-rhel8",
          "product": "Red Hat OpenShift Serverless 1.30",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "1.9.2-3",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:openshift_serverless:1.30::el8"
          ],
          "defaultStatus": "affected",
          "packageName": "openshift-serverless-1/ingress-rhel8-operator",
          "product": "Red Hat OpenShift Serverless 1.30",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "1.30.1-1",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:openshift_serverless:1.30::el8"
          ],
          "defaultStatus": "affected",
          "packageName": "openshift-serverless-1/knative-rhel8-operator",
          "product": "Red Hat OpenShift Serverless 1.30",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "1.30.1-1",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:openshift_serverless:1.30::el8"
          ],
          "defaultStatus": "affected",
          "packageName": "openshift-serverless-1/kn-cli-artifacts-rhel8",
          "product": "Red Hat OpenShift Serverless 1.30",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "1.9.2-3",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:openshift_serverless:1.30::el8"
          ],
          "defaultStatus": "affected",
          "packageName": "openshift-serverless-1/serverless-operator-bundle",
          "product": "Red Hat OpenShift Serverless 1.30",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "1.30.1-1",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:openshift_serverless:1.30::el8"
          ],
          "defaultStatus": "affected",
          "packageName": "openshift-serverless-1/serverless-rhel8-operator",
          "product": "Red Hat OpenShift Serverless 1.30",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "1.30.1-1",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:openshift_serverless:1.30::el8"
          ],
          "defaultStatus": "affected",
          "packageName": "openshift-serverless-1/svls-must-gather-rhel8",
          "product": "Red Hat OpenShift Serverless 1.30",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "1.30.1-1",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:openshift_serverless:1.30::el8"
          ],
          "defaultStatus": "affected",
          "packageName": "openshift-serverless-1-tech-preview/logic-data-index-ephemeral-rhel8",
          "product": "Red Hat OpenShift Serverless 1.30",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "1.30.0-5",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:openshift_serverless:1.30::el8"
          ],
          "defaultStatus": "affected",
          "packageName": "openshift-serverless-1-tech-preview/logic-swf-builder-rhel8",
          "product": "Red Hat OpenShift Serverless 1.30",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "1.30.0-6",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:openshift_serverless:1.30::el8"
          ],
          "defaultStatus": "affected",
          "packageName": "openshift-serverless-1-tech-preview/logic-swf-devmode-rhel8",
          "product": "Red Hat OpenShift Serverless 1.30",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "1.30.0-6",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:rhosemc:1.0::el8"
          ],
          "defaultStatus": "affected",
          "packageName": "rhpam-7/rhpam-kogito-builder-rhel8",
          "product": "RHEL-8 based Middleware Containers",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "7.13.4-3",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:rhosemc:1.0::el8"
          ],
          "defaultStatus": "affected",
          "packageName": "rhpam-7/rhpam-kogito-rhel8-operator",
          "product": "RHEL-8 based Middleware Containers",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "7.13.4-2",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:rhosemc:1.0::el8"
          ],
          "defaultStatus": "affected",
          "packageName": "rhpam-7/rhpam-kogito-rhel8-operator-bundle",
          "product": "RHEL-8 based Middleware Containers",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "7.13.4-2",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:rhosemc:1.0::el8"
          ],
          "defaultStatus": "affected",
          "packageName": "rhpam-7/rhpam-kogito-runtime-jvm-rhel8",
          "product": "RHEL-8 based Middleware Containers",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "7.13.4-3",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:rhosemc:1.0::el8"
          ],
          "defaultStatus": "affected",
          "packageName": "rhpam-7-tech-preview/rhpam-kogito-runtime-native-rhel8",
          "product": "RHEL-8 based Middleware Containers",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "7.13.4-3",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html",
          "cpes": [
            "cpe:/a:redhat:camel_k:1"
          ],
          "defaultStatus": "unaffected",
          "packageName": "quarkus-vertx-http",
          "product": "RHINT Camel-K-1.10.2",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:service_registry:2.5"
          ],
          "defaultStatus": "unaffected",
          "packageName": "quarkus-vertx-http",
          "product": "RHINT Service Registry 2.5.4 GA",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:jboss_enterprise_bpms_platform:7.13"
          ],
          "defaultStatus": "unaffected",
          "product": "RHPAM 7.13.4 async",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:jboss_enterprise_bpms_platform:7"
          ],
          "defaultStatus": "affected",
          "packageName": "quarkus-vertx-http",
          "product": "Red Hat Process Automation 7",
          "vendor": "Red Hat"
        }
      ],
      "datePublic": "2023-09-08T00:00:00+00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "A flaw was found in Quarkus where HTTP security policies are not sanitizing certain character permutations correctly when accepting requests, resulting in incorrect evaluation of permissions. This issue could allow an attacker to bypass the security policy altogether, resulting in unauthorized endpoint access and possibly a denial of service."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "namespace": "https://access.redhat.com/security/updates/classification/",
              "value": "Important"
            },
            "type": "Red Hat severity rating"
          }
        },
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS"
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-148",
              "description": "Improper Neutralization of Input Leaders",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-10-21T00:43:36.207Z",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "name": "RHSA-2023:5170",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2023:5170"
        },
        {
          "name": "RHSA-2023:5310",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2023:5310"
        },
        {
          "name": "RHSA-2023:5337",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2023:5337"
        },
        {
          "name": "RHSA-2023:5446",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2023:5446"
        },
        {
          "name": "RHSA-2023:5479",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2023:5479"
        },
        {
          "name": "RHSA-2023:5480",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2023:5480"
        },
        {
          "name": "RHSA-2023:6107",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2023:6107"
        },
        {
          "name": "RHSA-2023:6112",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2023:6112"
        },
        {
          "name": "RHSA-2023:7653",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2023:7653"
        },
        {
          "tags": [
            "vdb-entry",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/security/cve/CVE-2023-4853"
        },
        {
          "name": "RHSB-2023-002",
          "tags": [
            "technical-description",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2023-002"
        },
        {
          "name": "RHBZ#2238034",
          "tags": [
            "issue-tracking",
            "x_refsource_REDHAT"
          ],
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2238034"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2023-09-08T00:00:00+00:00",
          "value": "Reported to Red Hat."
        },
        {
          "lang": "en",
          "time": "2023-09-08T00:00:00+00:00",
          "value": "Made public."
        }
      ],
      "title": "Quarkus: http security policy bypass",
      "workarounds": [
        {
          "lang": "en",
          "value": "Use a \u2018deny\u2019 wildcard for base paths, then authenticate specifics within that:\n\nExamples:\n```\ndeny: /*\nauthenticated: /services/*\n```\nor\n```\ndeny: /services/*\nroles-allowed: /services/rbac/*\n```\n\nNOTE: Products are only vulnerable if they use (or allow use of) path-based HTTP policy configuration. Products may also be affected\u2013shipping the component in question\u2013without being vulnerable (\u201caffected at reduced impact\u201d).\n\nSee https://access.redhat.com/security/vulnerabilities/RHSB-2023-002 for more detailed mitigations."
        }
      ],
      "x_redhatCweChain": "CWE-148: Improper Neutralization of Input Leaders"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2023-4853",
    "datePublished": "2023-09-20T09:47:32.150Z",
    "dateReserved": "2023-09-08T16:10:38.379Z",
    "dateUpdated": "2024-10-21T00:43:36.207Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted