Lucene search

Redhat.comRH:CVE-2023-0044

HistoryJan 04, 2023 - 8:35 a.m.

CVE-2023-0044

2023-01-0408:35:35

redhat.com

access.redhat.com

quarkus

form authentication

session cookie

cross-site attack

information disclosure

csrf prevention feature

6.1 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

0.001 Low

EPSS

Percentile

21.7%

JSON

A flaw was found in Quarkus. If the Quarkus Form Authentication session cookie Path attribute is set to /, then a cross-site attack may be initiated, which might lead to information disclosure.

Mitigation

This attack can be prevented with the Quarkus CSRF Prevention feature.

References

bugzilla.redhat.com/show_bug.cgi?id=2158081

github.com/advisories/GHSA-c57v-hc7m-8px2

nvd.nist.gov/vuln/detail/CVE-2023-0044

www.cve.org/CVERecord?id=CVE-2023-0044

6.1 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

0.001 Low

EPSS

Percentile

21.7%

JSON

Related for RH:CVE-2023-0044