8.1

CVE-2023-4853

Exploit

Quarkus: http security policy bypass

A flaw was found in Quarkus where HTTP security policies are not sanitizing certain character permutations correctly when accepting requests, resulting in incorrect evaluation of permissions. This issue could allow an attacker to bypass the security policy altogether, resulting in unauthorized endpoint access and possibly a denial of service.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
QuarkusQuarkus Version < 2.16.11
QuarkusQuarkus Version >= 3.2.0 < 3.2.6
QuarkusQuarkus Version >= 3.3.0 < 3.3.3
RedhatBuild Of Optaplanner Version8.0
RedhatBuild Of Quarkus SwEditiontext-only Version >= 2.13.0 < 2.13.8
RedhatDecision Manager Version7.0
RedhatIntegration Camel K Version < 1.10.2
RedhatJboss Middleware Version1
RedhatJboss Middleware Text-only Advisories Version1.0 SwPlatformmiddleware
RedhatOpenshift Serverless Version1.0
RedhatOpenshift Container Platform Version4.10
   RedhatEnterprise Linux Version8.0
RedhatOpenshift Container Platform Version4.11
   RedhatEnterprise Linux Version8.0
RedhatOpenshift Container Platform Version4.12
   RedhatEnterprise Linux Version8.0
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 1.22% 0.646
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 8.1 2.2 5.9
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
secalert@redhat.com 8.1 2.2 5.9
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE-148 Improper Neutralization of Input Leaders

The product does not properly handle when a leading character or sequence ("leader") is missing or malformed, or if multiple leaders are used when only one should be allowed.

CWE-863 Incorrect Authorization

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

https://access.redhat.com/errata/RHSA-2023:5170
Vendor Advisory
https://access.redhat.com/errata/RHSA-2023:5310
Vendor Advisory
https://access.redhat.com/errata/RHSA-2023:5337
Vendor Advisory
https://access.redhat.com/errata/RHSA-2023:5446
Vendor Advisory
https://access.redhat.com/errata/RHSA-2023:5479
Vendor Advisory
https://access.redhat.com/errata/RHSA-2023:5480
Vendor Advisory
https://access.redhat.com/errata/RHSA-2023:6107
Vendor Advisory
https://access.redhat.com/errata/RHSA-2023:6112
Vendor Advisory
https://access.redhat.com/errata/RHSA-2023:7653
Vendor Advisory
https://access.redhat.com/security/cve/CVE-2023-4853
Vendor Advisory
Mitigation
https://access.redhat.com/security/vulnerabilities/RHSB-2023-002
Vendor Advisory
Exploit
Mitigation
Technical Description
https://bugzilla.redhat.com/show_bug.cgi?id=2238034
Vendor Advisory
Issue Tracking