CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
70.4%
A flaw was found in Quarkus where HTTP security policies are not sanitizing certain character permutations correctly when accepting requests, resulting in incorrect evaluation of permissions. This issue could allow an attacker to bypass the security policy altogether, resulting in unauthorized endpoint access and possibly a denial of service.
Use a ‘deny’ wildcard for base paths, then authenticate specifics within that:
Examples:
deny: /*
authenticated: /services/*
or
deny: /services/*
roles-allowed: /services/rbac/*
NOTE: Products are only vulnerable if they use (or allow use of) path-based HTTP policy configuration. Products may also be affected–shipping the component in question–without being vulnerable (“affected at reduced impact”).
See <https://access.redhat.com/security/vulnerabilities/RHSB-2023-002> for more detailed mitigations.