8.1

CVE-2023-4853

Exploit

A flaw was found in Quarkus where HTTP security policies are not sanitizing certain character permutations correctly when accepting requests, resulting in incorrect evaluation of permissions. This issue could allow an attacker to bypass the security policy altogether, resulting in unauthorized endpoint access and possibly a denial of service.

Data is provided by the National Vulnerability Database (NVD)
QuarkusQuarkus Version < 2.16.11
QuarkusQuarkus Version >= 3.2.0 < 3.2.6
QuarkusQuarkus Version >= 3.3.0 < 3.3.3
RedhatBuild Of Optaplanner Version8.0
RedhatBuild Of Quarkus SwEditiontext-only Version >= 2.13.0 < 2.13.8
RedhatDecision Manager Version7.0
RedhatIntegration Camel K Version < 1.10.2
RedhatJboss Middleware Version1
RedhatJboss Middleware Text-only Advisories Version1.0 SwPlatformmiddleware
RedhatOpenshift Serverless Version1.0
RedhatOpenshift Container Platform Version4.10
   RedhatEnterprise Linux Version8.0
RedhatOpenshift Container Platform Version4.11
   RedhatEnterprise Linux Version8.0
RedhatOpenshift Container Platform Version4.12
   RedhatEnterprise Linux Version8.0
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Type Source Score Percentile
EPSS FIRST.org 0.35% 0.566
CVSS Metriken
Source Base Score Exploit Score Impact Score Vector string
nvd@nist.gov 8.1 2.2 5.9
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
secalert@redhat.com 8.1 2.2 5.9
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE-148 Improper Neutralization of Input Leaders

The product does not properly handle when a leading character or sequence ("leader") is missing or malformed, or if multiple leaders are used when only one should be allowed.

CWE-863 Incorrect Authorization

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

https://access.redhat.com/security/vulnerabilities/RHSB-2023-002
Vendor Advisory
Exploit
Mitigation
Technical Description