Quarkus HTTP vulnerable to incorrect evaluation of permissions

2023-09-2012:30:22

Google

osv.dev

quarkus

http

security flaw

unauthorized access

denial of service

0.002 Low

EPSS

Percentile

58.5%

JSON

A flaw was found in Quarkus where HTTP security policies are not sanitizing certain character permutations correctly when accepting requests, resulting in incorrect evaluation of permissions. This issue could allow an attacker to bypass the security policy altogether, resulting in unauthorized endpoint access and possibly a denial of service.

CPENameOperatorVersion
io.quarkus:quarkus-undertoweq2.2.5.Final
io.quarkus:quarkus-undertoweq2.8.3.Final
io.quarkus:quarkus-vertx-httpeq3.2.3.Final
io.quarkus:quarkus-undertoweq2.2.3.Final
io.quarkus:quarkus-vertx-httpeq1.3.0.CR1
io.quarkus:quarkus-keycloak-authorizationeq2.13.0.Final
io.quarkus:quarkus-undertoweq3.2.5.Final
io.quarkus:quarkus-keycloak-authorizationeq3.1.0.Final
io.quarkus:quarkus-csrf-reactiveeq2.14.3.Final
io.quarkus:quarkus-keycloak-authorizationeq2.5.4.Final

Name	Operator	Version
io.quarkus:quarkus-undertow	eq	2.2.5.Final
io.quarkus:quarkus-undertow	eq	2.8.3.Final
io.quarkus:quarkus-vertx-http	eq	3.2.3.Final
io.quarkus:quarkus-undertow	eq	2.2.3.Final
io.quarkus:quarkus-vertx-http	eq	1.3.0.CR1
io.quarkus:quarkus-keycloak-authorization	eq	2.13.0.Final
io.quarkus:quarkus-undertow	eq	3.2.5.Final
io.quarkus:quarkus-keycloak-authorization	eq	3.1.0.Final
io.quarkus:quarkus-csrf-reactive	eq	2.14.3.Final
io.quarkus:quarkus-keycloak-authorization	eq	2.5.4.Final