csaf_certbund - wid-sec-w-2023-2362

wid-sec-w-2023-2362

Vulnerability from csaf_certbund

Published

2023-09-14 22:00

Modified

2023-12-05 23:00

Summary

Red Hat Quarkus: Schwachstelle ermöglicht die Umgehung von Sicherheitsmaßnahmen oder die Verursachung eines Denial-of-Service-Zustands

Notes

Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.

Produktbeschreibung

Red Hat Enterprise Linux (RHEL) ist eine populäre Linux-Distribution.

Angriff

Ein entfernter anonymer Angreifer kann eine Schwachstelle in Red Hat Quarkus ausnutzen, um Sicherheitsmaßnahmen zu umgehen oder einen Denial-of-Service-Zustand zu verursachen.

Betroffene Betriebssysteme

- Linux

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "text": "hoch"
    },
    "category": "csaf_base",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "de-DE",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
      },
      {
        "category": "description",
        "text": "Red Hat Enterprise Linux (RHEL) ist eine popul\u00e4re Linux-Distribution.",
        "title": "Produktbeschreibung"
      },
      {
        "category": "summary",
        "text": "Ein entfernter anonymer Angreifer kann eine Schwachstelle in Red Hat Quarkus ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen oder einen Denial-of-Service-Zustand zu verursachen.",
        "title": "Angriff"
      },
      {
        "category": "general",
        "text": "- Linux",
        "title": "Betroffene Betriebssysteme"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "csaf-provider@cert-bund.de",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "WID-SEC-W-2023-2362 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2023/wid-sec-w-2023-2362.json"
      },
      {
        "category": "self",
        "summary": "WID-SEC-2023-2362 - Portal Version",
        "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2023-2362"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2023:7653 vom 2023-12-06",
        "url": "https://access.redhat.com/errata/RHSA-2023:7653"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2023:6107 vom 2023-10-25",
        "url": "https://access.redhat.com/errata/RHSA-2023:6107"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2023:6112 vom 2023-10-25",
        "url": "https://access.redhat.com/errata/RHSA-2023:6112"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2023:5479 vom 2023-10-05",
        "url": "https://access.redhat.com/errata/RHSA-2023:5479"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2023:5480 vom 2023-10-05",
        "url": "https://access.redhat.com/errata/RHSA-2023:5480"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2023:5446 vom 2023-10-04",
        "url": "https://access.redhat.com/errata/RHSA-2023:5446"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2023:5337 vom 2023-09-21",
        "url": "https://access.redhat.com/errata/RHSA-2023:5337"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory RHSA-2023:5310 vom 2023-09-20",
        "url": "https://access.redhat.com/errata/RHSA-2023:5310"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory - RHSA-2023:5170 vom 2023-09-14",
        "url": "https://access.redhat.com/security/cve/CVE-2023-4853"
      },
      {
        "category": "external",
        "summary": "Red Hat Security Advisory - RHSA-2023:5170 vom 2023-09-14",
        "url": "https://access.redhat.com/errata/RHSA-2023:5170"
      }
    ],
    "source_lang": "en-US",
    "title": "Red Hat Quarkus: Schwachstelle erm\u00f6glicht die Umgehung von Sicherheitsma\u00dfnahmen oder die Verursachung eines Denial-of-Service-Zustands",
    "tracking": {
      "current_release_date": "2023-12-05T23:00:00.000+00:00",
      "generator": {
        "date": "2024-02-15T17:44:13.879+00:00",
        "engine": {
          "name": "BSI-WID",
          "version": "1.3.0"
        }
      },
      "id": "WID-SEC-W-2023-2362",
      "initial_release_date": "2023-09-14T22:00:00.000+00:00",
      "revision_history": [
        {
          "date": "2023-09-14T22:00:00.000+00:00",
          "number": "1",
          "summary": "Initiale Fassung"
        },
        {
          "date": "2023-09-19T22:00:00.000+00:00",
          "number": "2",
          "summary": "Neue Updates von Red Hat aufgenommen"
        },
        {
          "date": "2023-09-21T22:00:00.000+00:00",
          "number": "3",
          "summary": "Neue Updates von Red Hat aufgenommen"
        },
        {
          "date": "2023-10-04T22:00:00.000+00:00",
          "number": "4",
          "summary": "Neue Updates von Red Hat aufgenommen"
        },
        {
          "date": "2023-10-05T22:00:00.000+00:00",
          "number": "5",
          "summary": "Neue Updates von Red Hat aufgenommen"
        },
        {
          "date": "2023-10-25T22:00:00.000+00:00",
          "number": "6",
          "summary": "Neue Updates von Red Hat aufgenommen"
        },
        {
          "date": "2023-12-05T23:00:00.000+00:00",
          "number": "7",
          "summary": "Neue Updates von Red Hat aufgenommen"
        }
      ],
      "status": "final",
      "version": "7"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Red Hat Enterprise Linux",
                "product": {
                  "name": "Red Hat Enterprise Linux",
                  "product_id": "67646",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:redhat:enterprise_linux:-"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "Red Hat Enterprise Linux Quarkus \u003c 2.13.8",
                "product": {
                  "name": "Red Hat Enterprise Linux Quarkus \u003c 2.13.8",
                  "product_id": "T029889",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:redhat:enterprise_linux:quarkus__2.13.8"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "Enterprise Linux"
          },
          {
            "category": "product_name",
            "name": "Red Hat Integration Service Registry 1",
            "product": {
              "name": "Red Hat Integration Service Registry 1",
              "product_id": "T031465",
              "product_identification_helper": {
                "cpe": "cpe:/a:redhat:integration:service_registry_1"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2023-4853",
      "notes": [
        {
          "category": "description",
          "text": "Es besteht eine Schwachstelle in Red Hat Enterprise Linux. Dieser Fehler besteht in der Quarkus-Komponente, da die HTTP-Sicherheitsrichtlinien bestimmte Zeichenkombinationen nicht korrekt bereinigen, was zu einem nicht autorisierten Endpunktzugriff f\u00fchrt. Ein entfernter Angreifer kann diese Schwachstelle ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen oder einen Denial-of-Service-Zustand zu verursachen."
        }
      ],
      "product_status": {
        "known_affected": [
          "T031465",
          "67646"
        ]
      },
      "release_date": "2023-09-14T22:00:00Z",
      "title": "CVE-2023-4853"
    }
  ]
}

cve-2023-4853

Vulnerability from cvelistv5

Published

2023-09-20 09:47

Modified

2024-10-21 00:43

Severity ?

8.1 (High) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Summary

Quarkus: http security policy bypass

References

▼	URL	Tags
	https://access.redhat.com/errata/RHSA-2023:5170	vendor-advisory, x_refsource_REDHAT
	https://access.redhat.com/errata/RHSA-2023:5310	vendor-advisory, x_refsource_REDHAT
	https://access.redhat.com/errata/RHSA-2023:5337	vendor-advisory, x_refsource_REDHAT
	https://access.redhat.com/errata/RHSA-2023:5446	vendor-advisory, x_refsource_REDHAT
	https://access.redhat.com/errata/RHSA-2023:5479	vendor-advisory, x_refsource_REDHAT
	https://access.redhat.com/errata/RHSA-2023:5480	vendor-advisory, x_refsource_REDHAT
	https://access.redhat.com/errata/RHSA-2023:6107	vendor-advisory, x_refsource_REDHAT
	https://access.redhat.com/errata/RHSA-2023:6112	vendor-advisory, x_refsource_REDHAT
	https://access.redhat.com/errata/RHSA-2023:7653	vendor-advisory, x_refsource_REDHAT
	https://access.redhat.com/security/cve/CVE-2023-4853	vdb-entry, x_refsource_REDHAT
	https://access.redhat.com/security/vulnerabilities/RHSB-2023-002	technical-description, x_refsource_REDHAT
	https://bugzilla.redhat.com/show_bug.cgi?id=2238034	issue-tracking, x_refsource_REDHAT

Impacted products

▼	Vendor	Product
	Red Hat	Openshift Serverless 1 on RHEL 8
	Red Hat	Red Hat build of OptaPlanner 8
	Red Hat	Red Hat build of Quarkus 2.13.8.SP2
	Red Hat	Red Hat build of Quarkus 2.13.8.SP2
	Red Hat	Red Hat build of Quarkus 2.13.8.SP2
	Red Hat	Red Hat Camel Extensions for Quarkus 2.13.3-1
	Red Hat	Red Hat OpenShift Serverless 1.30
	Red Hat	Red Hat OpenShift Serverless 1.30
	Red Hat	Red Hat OpenShift Serverless 1.30
	Red Hat	Red Hat OpenShift Serverless 1.30
	Red Hat	Red Hat OpenShift Serverless 1.30
	Red Hat	Red Hat OpenShift Serverless 1.30
	Red Hat	Red Hat OpenShift Serverless 1.30
	Red Hat	Red Hat OpenShift Serverless 1.30
	Red Hat	Red Hat OpenShift Serverless 1.30
	Red Hat	Red Hat OpenShift Serverless 1.30
	Red Hat	RHEL-8 based Middleware Containers
	Red Hat	RHEL-8 based Middleware Containers
	Red Hat	RHEL-8 based Middleware Containers
	Red Hat	RHEL-8 based Middleware Containers
	Red Hat	RHEL-8 based Middleware Containers
	Red Hat	RHINT Camel-K-1.10.2
	Red Hat	RHINT Service Registry 2.5.4 GA
	Red Hat	RHPAM 7.13.4 async
	Red Hat	Red Hat Process Automation 7

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T07:38:00.803Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "RHSA-2023:5170",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2023:5170"
          },
          {
            "name": "RHSA-2023:5310",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2023:5310"
          },
          {
            "name": "RHSA-2023:5337",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2023:5337"
          },
          {
            "name": "RHSA-2023:5446",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2023:5446"
          },
          {
            "name": "RHSA-2023:5479",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2023:5479"
          },
          {
            "name": "RHSA-2023:5480",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2023:5480"
          },
          {
            "name": "RHSA-2023:6107",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2023:6107"
          },
          {
            "name": "RHSA-2023:6112",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2023:6112"
          },
          {
            "name": "RHSA-2023:7653",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2023:7653"
          },
          {
            "tags": [
              "vdb-entry",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/security/cve/CVE-2023-4853"
          },
          {
            "name": "RHSB-2023-002",
            "tags": [
              "technical-description",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2023-002"
          },
          {
            "name": "RHBZ#2238034",
            "tags": [
              "issue-tracking",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2238034"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:serverless:1.0::el8"
          ],
          "defaultStatus": "affected",
          "packageName": "openshift-serverless-clients",
          "product": "Openshift Serverless 1 on RHEL 8",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:1.9.2-3.el8",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:optaplanner:::el6"
          ],
          "defaultStatus": "unaffected",
          "packageName": "quarkus-vertx-http",
          "product": "Red Hat build of OptaPlanner 8",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:quarkus:2.13"
          ],
          "defaultStatus": "affected",
          "packageName": "io.quarkus/quarkus-keycloak-authorization",
          "product": "Red Hat build of Quarkus 2.13.8.SP2",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "2.13.8.Final-redhat-00005",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:quarkus:2.13"
          ],
          "defaultStatus": "affected",
          "packageName": "io.quarkus/quarkus-undertow",
          "product": "Red Hat build of Quarkus 2.13.8.SP2",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "2.13.8.Final-redhat-00005",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:quarkus:2.13"
          ],
          "defaultStatus": "affected",
          "packageName": "io.quarkus/quarkus-vertx-http",
          "product": "Red Hat build of Quarkus 2.13.8.SP2",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "2.13.8.Final-redhat-00005",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html",
          "cpes": [
            "cpe:/a:redhat:camel_quarkus:2.13"
          ],
          "defaultStatus": "unaffected",
          "packageName": "quarkus-vertx-http",
          "product": "Red Hat Camel Extensions for Quarkus 2.13.3-1",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:openshift_serverless:1.30::el8"
          ],
          "defaultStatus": "affected",
          "packageName": "openshift-serverless-1/client-kn-rhel8",
          "product": "Red Hat OpenShift Serverless 1.30",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "1.9.2-3",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:openshift_serverless:1.30::el8"
          ],
          "defaultStatus": "affected",
          "packageName": "openshift-serverless-1/ingress-rhel8-operator",
          "product": "Red Hat OpenShift Serverless 1.30",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "1.30.1-1",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:openshift_serverless:1.30::el8"
          ],
          "defaultStatus": "affected",
          "packageName": "openshift-serverless-1/knative-rhel8-operator",
          "product": "Red Hat OpenShift Serverless 1.30",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "1.30.1-1",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:openshift_serverless:1.30::el8"
          ],
          "defaultStatus": "affected",
          "packageName": "openshift-serverless-1/kn-cli-artifacts-rhel8",
          "product": "Red Hat OpenShift Serverless 1.30",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "1.9.2-3",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:openshift_serverless:1.30::el8"
          ],
          "defaultStatus": "affected",
          "packageName": "openshift-serverless-1/serverless-operator-bundle",
          "product": "Red Hat OpenShift Serverless 1.30",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "1.30.1-1",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:openshift_serverless:1.30::el8"
          ],
          "defaultStatus": "affected",
          "packageName": "openshift-serverless-1/serverless-rhel8-operator",
          "product": "Red Hat OpenShift Serverless 1.30",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "1.30.1-1",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:openshift_serverless:1.30::el8"
          ],
          "defaultStatus": "affected",
          "packageName": "openshift-serverless-1/svls-must-gather-rhel8",
          "product": "Red Hat OpenShift Serverless 1.30",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "1.30.1-1",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:openshift_serverless:1.30::el8"
          ],
          "defaultStatus": "affected",
          "packageName": "openshift-serverless-1-tech-preview/logic-data-index-ephemeral-rhel8",
          "product": "Red Hat OpenShift Serverless 1.30",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "1.30.0-5",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:openshift_serverless:1.30::el8"
          ],
          "defaultStatus": "affected",
          "packageName": "openshift-serverless-1-tech-preview/logic-swf-builder-rhel8",
          "product": "Red Hat OpenShift Serverless 1.30",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "1.30.0-6",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:openshift_serverless:1.30::el8"
          ],
          "defaultStatus": "affected",
          "packageName": "openshift-serverless-1-tech-preview/logic-swf-devmode-rhel8",
          "product": "Red Hat OpenShift Serverless 1.30",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "1.30.0-6",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:rhosemc:1.0::el8"
          ],
          "defaultStatus": "affected",
          "packageName": "rhpam-7/rhpam-kogito-builder-rhel8",
          "product": "RHEL-8 based Middleware Containers",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "7.13.4-3",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:rhosemc:1.0::el8"
          ],
          "defaultStatus": "affected",
          "packageName": "rhpam-7/rhpam-kogito-rhel8-operator",
          "product": "RHEL-8 based Middleware Containers",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "7.13.4-2",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:rhosemc:1.0::el8"
          ],
          "defaultStatus": "affected",
          "packageName": "rhpam-7/rhpam-kogito-rhel8-operator-bundle",
          "product": "RHEL-8 based Middleware Containers",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "7.13.4-2",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:rhosemc:1.0::el8"
          ],
          "defaultStatus": "affected",
          "packageName": "rhpam-7/rhpam-kogito-runtime-jvm-rhel8",
          "product": "RHEL-8 based Middleware Containers",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "7.13.4-3",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:rhosemc:1.0::el8"
          ],
          "defaultStatus": "affected",
          "packageName": "rhpam-7-tech-preview/rhpam-kogito-runtime-native-rhel8",
          "product": "RHEL-8 based Middleware Containers",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "7.13.4-3",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html",
          "cpes": [
            "cpe:/a:redhat:camel_k:1"
          ],
          "defaultStatus": "unaffected",
          "packageName": "quarkus-vertx-http",
          "product": "RHINT Camel-K-1.10.2",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:service_registry:2.5"
          ],
          "defaultStatus": "unaffected",
          "packageName": "quarkus-vertx-http",
          "product": "RHINT Service Registry 2.5.4 GA",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:jboss_enterprise_bpms_platform:7.13"
          ],
          "defaultStatus": "unaffected",
          "product": "RHPAM 7.13.4 async",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:jboss_enterprise_bpms_platform:7"
          ],
          "defaultStatus": "affected",
          "packageName": "quarkus-vertx-http",
          "product": "Red Hat Process Automation 7",
          "vendor": "Red Hat"
        }
      ],
      "datePublic": "2023-09-08T00:00:00+00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "A flaw was found in Quarkus where HTTP security policies are not sanitizing certain character permutations correctly when accepting requests, resulting in incorrect evaluation of permissions. This issue could allow an attacker to bypass the security policy altogether, resulting in unauthorized endpoint access and possibly a denial of service."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "namespace": "https://access.redhat.com/security/updates/classification/",
              "value": "Important"
            },
            "type": "Red Hat severity rating"
          }
        },
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS"
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-148",
              "description": "Improper Neutralization of Input Leaders",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-10-21T00:43:36.207Z",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "name": "RHSA-2023:5170",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2023:5170"
        },
        {
          "name": "RHSA-2023:5310",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2023:5310"
        },
        {
          "name": "RHSA-2023:5337",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2023:5337"
        },
        {
          "name": "RHSA-2023:5446",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2023:5446"
        },
        {
          "name": "RHSA-2023:5479",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2023:5479"
        },
        {
          "name": "RHSA-2023:5480",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2023:5480"
        },
        {
          "name": "RHSA-2023:6107",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2023:6107"
        },
        {
          "name": "RHSA-2023:6112",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2023:6112"
        },
        {
          "name": "RHSA-2023:7653",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2023:7653"
        },
        {
          "tags": [
            "vdb-entry",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/security/cve/CVE-2023-4853"
        },
        {
          "name": "RHSB-2023-002",
          "tags": [
            "technical-description",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2023-002"
        },
        {
          "name": "RHBZ#2238034",
          "tags": [
            "issue-tracking",
            "x_refsource_REDHAT"
          ],
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2238034"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2023-09-08T00:00:00+00:00",
          "value": "Reported to Red Hat."
        },
        {
          "lang": "en",
          "time": "2023-09-08T00:00:00+00:00",
          "value": "Made public."
        }
      ],
      "title": "Quarkus: http security policy bypass",
      "workarounds": [
        {
          "lang": "en",
          "value": "Use a \u2018deny\u2019 wildcard for base paths, then authenticate specifics within that:\n\nExamples:\n```\ndeny: /*\nauthenticated: /services/*\n```\nor\n```\ndeny: /services/*\nroles-allowed: /services/rbac/*\n```\n\nNOTE: Products are only vulnerable if they use (or allow use of) path-based HTTP policy configuration. Products may also be affected\u2013shipping the component in question\u2013without being vulnerable (\u201caffected at reduced impact\u201d).\n\nSee https://access.redhat.com/security/vulnerabilities/RHSB-2023-002 for more detailed mitigations."
        }
      ],
      "x_redhatCweChain": "CWE-148: Improper Neutralization of Input Leaders"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2023-4853",
    "datePublished": "2023-09-20T09:47:32.150Z",
    "dateReserved": "2023-09-08T16:10:38.379Z",
    "dateUpdated": "2024-10-21T00:43:36.207Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted