Lucene search
HistorySep 20, 2023 - 10:15 a.m.
CVE-2023-4853
quarkus
http
security policies
bypass
unauthorized access
denial of service
nvd
cve-2023-4853
8.1 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
AI Score
Confidence
High
0.002 Low
EPSS
Percentile
58.6%
A flaw was found in Quarkus where HTTP security policies are not sanitizing certain character permutations correctly when accepting requests, resulting in incorrect evaluation of permissions. This issue could allow an attacker to bypass the security policy altogether, resulting in unauthorized endpoint access and possibly a denial of service.
Affected configurations
Node
quarkusquarkusRange<2.16.11
ORquarkusquarkusRange3.2.0–3.2.6
ORquarkusquarkusRange3.3.0–3.3.3
Node
redhatbuild_of_optaplannerMatch8.0
ORredhatbuild_of_quarkusRange2.13.0–2.13.8text-only
ORredhatdecision_managerMatch7.0
ORredhatintegration_camel_kRange<1.10.2
ORredhatintegration_camel_quarkusMatch-
ORredhatintegration_service_registryMatch-
ORredhatjboss_middlewareMatch1
ORredhatjboss_middleware_text-only_advisoriesMatch1.0middleware
ORredhatopenshift_serverlessMatch-
ORredhatopenshift_serverlessMatch1.0
ORredhatprocess_automation_managerMatch7.0
Node
redhatenterprise_linuxMatch8.0
redhatopenshift_container_platformMatch4.10
ORredhatopenshift_container_platformMatch4.11
ORredhatopenshift_container_platformMatch4.12
| CPE | Name | Operator | Version |
|---|---|---|---|
| quarkus:quarkus | quarkus | lt | 2.16.11 |
| quarkus:quarkus | quarkus | lt | 3.2.6 |
| quarkus:quarkus | quarkus | lt | 3.3.3 |
CNA Affected
[
{
"vendor": "Red Hat",
"product": "Openshift Serverless 1 on RHEL 8",
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"packageName": "openshift-serverless-clients",
"defaultStatus": "affected",
"versions": [
{
"version": "0:1.9.2-3.el8",
"lessThan": "*",
"versionType": "rpm",
"status": "unaffected"
}
],
"cpes": [
"cpe:/a:redhat:serverless:1.0::el8"
]
},
{
"vendor": "Red Hat",
"product": "Red Hat build of Quarkus 2.13.8.SP2",
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"packageName": "io.quarkus/quarkus-keycloak-authorization",
"defaultStatus": "affected",
"versions": [
{
"version": "2.13.8.Final-redhat-00005",
"lessThan": "*",
"versionType": "rpm",
"status": "unaffected"
}
],
"cpes": [
"cpe:/a:redhat:quarkus:2.13"
]
},
{
"vendor": "Red Hat",
"product": "Red Hat build of Quarkus 2.13.8.SP2",
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"packageName": "io.quarkus/quarkus-undertow",
"defaultStatus": "affected",
"versions": [
{
"version": "2.13.8.Final-redhat-00005",
"lessThan": "*",
"versionType": "rpm",
"status": "unaffected"
}
],
"cpes": [
"cpe:/a:redhat:quarkus:2.13"
]
},
{
"vendor": "Red Hat",
"product": "Red Hat build of Quarkus 2.13.8.SP2",
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"packageName": "io.quarkus/quarkus-vertx-http",
"defaultStatus": "affected",
"versions": [
{
"version": "2.13.8.Final-redhat-00005",
"lessThan": "*",
"versionType": "rpm",
"status": "unaffected"
}
],
"cpes": [
"cpe:/a:redhat:quarkus:2.13"
]
},
{
"vendor": "Red Hat",
"product": "Red Hat Camel Extensions for Quarkus 2.13.3-1",
"collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html",
"defaultStatus": "unaffected",
"packageName": "quarkus-vertx-http",
"cpes": [
"cpe:/a:redhat:camel_quarkus:2.13"
]
},
{
"vendor": "Red Hat",
"product": "Red Hat OpenShift Serverless 1.30",
"collectionURL": "https://catalog.redhat.com/software/containers/",
"packageName": "openshift-serverless-1/client-kn-rhel8",
"defaultStatus": "affected",
"versions": [
{
"version": "1.9.2-3",
"lessThan": "*",
"versionType": "rpm",
"status": "unaffected"
}
],
"cpes": [
"cpe:/a:redhat:openshift_serverless:1.30::el8"
]
},
{
"vendor": "Red Hat",
"product": "Red Hat OpenShift Serverless 1.30",
"collectionURL": "https://catalog.redhat.com/software/containers/",
"packageName": "openshift-serverless-1/ingress-rhel8-operator",
"defaultStatus": "affected",
"versions": [
{
"version": "1.30.1-1",
"lessThan": "*",
"versionType": "rpm",
"status": "unaffected"
}
],
"cpes": [
"cpe:/a:redhat:openshift_serverless:1.30::el8"
]
},
{
"vendor": "Red Hat",
"product": "Red Hat OpenShift Serverless 1.30",
"collectionURL": "https://catalog.redhat.com/software/containers/",
"packageName": "openshift-serverless-1/knative-rhel8-operator",
"defaultStatus": "affected",
"versions": [
{
"version": "1.30.1-1",
"lessThan": "*",
"versionType": "rpm",
"status": "unaffected"
}
],
"cpes": [
"cpe:/a:redhat:openshift_serverless:1.30::el8"
]
},
{
"vendor": "Red Hat",
"product": "Red Hat OpenShift Serverless 1.30",
"collectionURL": "https://catalog.redhat.com/software/containers/",
"packageName": "openshift-serverless-1/kn-cli-artifacts-rhel8",
"defaultStatus": "affected",
"versions": [
{
"version": "1.9.2-3",
"lessThan": "*",
"versionType": "rpm",
"status": "unaffected"
}
],
"cpes": [
"cpe:/a:redhat:openshift_serverless:1.30::el8"
]
},
{
"vendor": "Red Hat",
"product": "Red Hat OpenShift Serverless 1.30",
"collectionURL": "https://catalog.redhat.com/software/containers/",
"packageName": "openshift-serverless-1/serverless-operator-bundle",
"defaultStatus": "affected",
"versions": [
{
"version": "1.30.1-1",
"lessThan": "*",
"versionType": "rpm",
"status": "unaffected"
}
],
"cpes": [
"cpe:/a:redhat:openshift_serverless:1.30::el8"
]
},
{
"vendor": "Red Hat",
"product": "Red Hat OpenShift Serverless 1.30",
"collectionURL": "https://catalog.redhat.com/software/containers/",
"packageName": "openshift-serverless-1/serverless-rhel8-operator",
"defaultStatus": "affected",
"versions": [
{
"version": "1.30.1-1",
"lessThan": "*",
"versionType": "rpm",
"status": "unaffected"
}
],
"cpes": [
"cpe:/a:redhat:openshift_serverless:1.30::el8"
]
},
{
"vendor": "Red Hat",
"product": "Red Hat OpenShift Serverless 1.30",
"collectionURL": "https://catalog.redhat.com/software/containers/",
"packageName": "openshift-serverless-1/svls-must-gather-rhel8",
"defaultStatus": "affected",
"versions": [
{
"version": "1.30.1-1",
"lessThan": "*",
"versionType": "rpm",
"status": "unaffected"
}
],
"cpes": [
"cpe:/a:redhat:openshift_serverless:1.30::el8"
]
},
{
"vendor": "Red Hat",
"product": "Red Hat OpenShift Serverless 1.30",
"collectionURL": "https://catalog.redhat.com/software/containers/",
"packageName": "openshift-serverless-1-tech-preview/logic-data-index-ephemeral-rhel8",
"defaultStatus": "affected",
"versions": [
{
"version": "1.30.0-5",
"lessThan": "*",
"versionType": "rpm",
"status": "unaffected"
}
],
"cpes": [
"cpe:/a:redhat:openshift_serverless:1.30::el8"
]
},
{
"vendor": "Red Hat",
"product": "Red Hat OpenShift Serverless 1.30",
"collectionURL": "https://catalog.redhat.com/software/containers/",
"packageName": "openshift-serverless-1-tech-preview/logic-swf-builder-rhel8",
"defaultStatus": "affected",
"versions": [
{
"version": "1.30.0-6",
"lessThan": "*",
"versionType": "rpm",
"status": "unaffected"
}
],
"cpes": [
"cpe:/a:redhat:openshift_serverless:1.30::el8"
]
},
{
"vendor": "Red Hat",
"product": "Red Hat OpenShift Serverless 1.30",
"collectionURL": "https://catalog.redhat.com/software/containers/",
"packageName": "openshift-serverless-1-tech-preview/logic-swf-devmode-rhel8",
"defaultStatus": "affected",
"versions": [
{
"version": "1.30.0-6",
"lessThan": "*",
"versionType": "rpm",
"status": "unaffected"
}
],
"cpes": [
"cpe:/a:redhat:openshift_serverless:1.30::el8"
]
},
{
"vendor": "Red Hat",
"product": "RHBOP Text-Only",
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "unaffected",
"packageName": "quarkus-vertx-http",
"cpes": [
"cpe:/a:redhat:optaplanner:::el6"
]
},
{
"vendor": "Red Hat",
"product": "RHEL-8 based Middleware Containers",
"collectionURL": "https://catalog.redhat.com/software/containers/",
"packageName": "rhpam-7/rhpam-kogito-builder-rhel8",
"defaultStatus": "affected",
"versions": [
{
"version": "7.13.4-3",
"lessThan": "*",
"versionType": "rpm",
"status": "unaffected"
}
],
"cpes": [
"cpe:/a:redhat:rhosemc:1.0::el8"
]
},
{
"vendor": "Red Hat",
"product": "RHEL-8 based Middleware Containers",
"collectionURL": "https://catalog.redhat.com/software/containers/",
"packageName": "rhpam-7/rhpam-kogito-rhel8-operator",
"defaultStatus": "affected",
"versions": [
{
"version": "7.13.4-2",
"lessThan": "*",
"versionType": "rpm",
"status": "unaffected"
}
],
"cpes": [
"cpe:/a:redhat:rhosemc:1.0::el8"
]
},
{
"vendor": "Red Hat",
"product": "RHEL-8 based Middleware Containers",
"collectionURL": "https://catalog.redhat.com/software/containers/",
"packageName": "rhpam-7/rhpam-kogito-rhel8-operator-bundle",
"defaultStatus": "affected",
"versions": [
{
"version": "7.13.4-2",
"lessThan": "*",
"versionType": "rpm",
"status": "unaffected"
}
],
"cpes": [
"cpe:/a:redhat:rhosemc:1.0::el8"
]
},
{
"vendor": "Red Hat",
"product": "RHEL-8 based Middleware Containers",
"collectionURL": "https://catalog.redhat.com/software/containers/",
"packageName": "rhpam-7/rhpam-kogito-runtime-jvm-rhel8",
"defaultStatus": "affected",
"versions": [
{
"version": "7.13.4-3",
"lessThan": "*",
"versionType": "rpm",
"status": "unaffected"
}
],
"cpes": [
"cpe:/a:redhat:rhosemc:1.0::el8"
]
},
{
"vendor": "Red Hat",
"product": "RHEL-8 based Middleware Containers",
"collectionURL": "https://catalog.redhat.com/software/containers/",
"packageName": "rhpam-7-tech-preview/rhpam-kogito-runtime-native-rhel8",
"defaultStatus": "affected",
"versions": [
{
"version": "7.13.4-3",
"lessThan": "*",
"versionType": "rpm",
"status": "unaffected"
}
],
"cpes": [
"cpe:/a:redhat:rhosemc:1.0::el8"
]
},
{
"vendor": "Red Hat",
"product": "RHINT Camel-K-1.10.2",
"collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html",
"defaultStatus": "unaffected",
"packageName": "quarkus-vertx-http",
"cpes": [
"cpe:/a:redhat:camel_k:1"
]
},
{
"vendor": "Red Hat",
"product": "RHINT Service Registry 2.5.4 GA",
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "unaffected",
"packageName": "quarkus-vertx-http",
"cpes": [
"cpe:/a:redhat:service_registry:2.5"
]
},
{
"vendor": "Red Hat",
"product": "RHPAM 7.13.4 async",
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"defaultStatus": "unaffected",
"cpes": [
"cpe:/a:redhat:jboss_enterprise_bpms_platform:7.13"
]
},
{
"vendor": "Red Hat",
"product": "Red Hat Process Automation 7",
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"packageName": "quarkus-vertx-http",
"defaultStatus": "affected",
"cpes": [
"cpe:/a:redhat:jboss_enterprise_bpms_platform:7"
]
}
]References
access.redhat.com/errata/RHSA-2023:5170
access.redhat.com/errata/RHSA-2023:5310
access.redhat.com/errata/RHSA-2023:5337
access.redhat.com/errata/RHSA-2023:5446
access.redhat.com/errata/RHSA-2023:5479
access.redhat.com/errata/RHSA-2023:5480
access.redhat.com/errata/RHSA-2023:6107
access.redhat.com/errata/RHSA-2023:6112
access.redhat.com/errata/RHSA-2023:7653
access.redhat.com/security/cve/CVE-2023-4853
access.redhat.com/security/vulnerabilities/RHSB-2023-002
bugzilla.redhat.com/show_bug.cgi?id=2238034
Related
ibm
ibm
cvelist
cvelist
CVE-2023-4853 Quarkus: http security policy bypass
2023-09-20 09:47:32
redhat
redhat
redhatcve
redhatcve
CVE-2023-4853
2023-09-08 19:35:42
osv
osv
Quarkus HTTP vulnerable to incorrect evaluation of permissions
2023-09-20 12:30:22
CVE-2023-4853
2023-09-20 10:15:14
nvd
nvd
CVE-2023-4853
2023-09-20 10:15:14
prion
prion
Design/Logic Flaw
2023-09-20 10:15:00
nessus
nessus
RHEL 8 : Release of OpenShift Serverless Client kn 1.30.1 (RHSA-2023:5479)
2024-04-28 00:00:00
github
github
Quarkus HTTP vulnerable to incorrect evaluation of permissions
2023-09-20 12:30:22
veracode
veracode
Incorrect Authorization
2024-04-02 05:59:45
8.1 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
AI Score
Confidence
High
0.002 Low
EPSS
Percentile
58.6%
Related for CVE-2023-4853