8.1

CVE-2023-2974

Quarkus-core: tls protocol configured with quarkus.http.ssl.protocols is not enforced, client can enforce weaker supported tls protocol

A vulnerability was found in quarkus-core. This vulnerability occurs because the TLS protocol configured with quarkus.http.ssl.protocols is not enforced, and the client can force the selection of the weaker supported TLS protocol.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
RedhatBuild Of Quarkus Version < 2.13.8
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.88% 0.547
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 8.1 2.8 5.2
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
secalert@redhat.com 6.5 1.2 5.2
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N
CWE-757 Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade')

A protocol or its implementation supports interaction between multiple actors and allows those actors to negotiate which algorithm should be used as a protection mechanism such as encryption or authentication, but it does not select the strongest algorithm that is available to both parties.

https://access.redhat.com/errata/RHSA-2023:3809
Release Notes
https://access.redhat.com/security/cve/CVE-2023-2974
Vendor Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=2211026
Vendor Advisory
Issue Tracking