Description

A flaw was found in Quarkus where HTTP security policies are not sanitizing certain character permutations correctly when accepting requests, resulting in incorrect evaluation of permissions. This issue could allow an attacker to bypass the security policy altogether, resulting in unauthorized endpoint access and possibly a denial of service.

Remediation

References

https://access.redhat.com/errata/RHSA-2023:5170

https://access.redhat.com/errata/RHSA-2023:5310

https://access.redhat.com/errata/RHSA-2023:5337

https://access.redhat.com/errata/RHSA-2023:5446

https://access.redhat.com/errata/RHSA-2023:5479

https://access.redhat.com/errata/RHSA-2023:5480

https://access.redhat.com/errata/RHSA-2023:6107

https://access.redhat.com/errata/RHSA-2023:6112

https://access.redhat.com/errata/RHSA-2023:7653

https://access.redhat.com/security/cve/CVE-2023-4853

https://access.redhat.com/security/vulnerabilities/RHSB-2023-002

https://bugzilla.redhat.com/show_bug.cgi?id=2238034

Related Vulnerabilities

CVE-2023-27602 Vulnerability in maven package org.apache.linkis:linkis-storage-script-dev-server

CVE-2018-14042 Vulnerability in npm package bootstrap-sass

CVE-2023-25499 Vulnerability in maven package com.vaadin:flow-server

CVE-2012-0818 Vulnerability in maven package org.jboss.resteasy:resteasy-jaxb-provider

CVE-2020-2242 Vulnerability in maven package org.jenkins-ci.plugins:database

Severity

Critical

Classification

CWE-863 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Vendor Advisory Mitigation Exploit Technical Description Issue Tracking