Lucene search

GoogleOSV:CVE-2023-0044

HistoryFeb 23, 2023 - 8:15 p.m.

CVE-2023-0044

2023-02-2320:15:12

Google

osv.dev

quarkus

form authentication

session cookie

path attribute

cross-site attack

information disclosure

csrf prevention

6.1 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

6.4 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

21.7%

JSON

If the Quarkus Form Authentication session cookie Path attribute is set to / then a cross-site attack may be initiated which might lead to the Information Disclosure. This attack can be prevented with the Quarkus CSRF Prevention feature.

References

access.redhat.com/security/cve/CVE-2023-0044

bugzilla.redhat.com/show_bug.cgi?id=2158081

6.1 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

6.4 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

21.7%

JSON

Related for OSV:CVE-2023-0044