PT-2023-4947 · Red Hat · Quarkus

Chess Hazlett

Publicado

2023-09-08

Atualizado

2023-12-21

CVE-2023-4853

CVSS v3.1

8.1

Alta

Vetor

AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Quarkus versions prior to 2.6.11 Quarkus versions prior to 3.2.6 Quarkus versions prior to 3.3.3 Red Hat build of Quarkus versions prior to 2.13.8.SP2

Description A flaw was found in Quarkus where HTTP security policies are not sanitizing certain character permutations correctly when accepting requests, resulting in incorrect evaluation of permissions. This issue could allow an attacker to bypass the security policy altogether, resulting in unauthorized endpoint access and possibly a denial of service.

Recommendations For Quarkus versions prior to 2.6.11, upgrade to version 2.6.11 or later. For Quarkus versions prior to 3.2.6, upgrade to version 3.2.6 or later. For Quarkus versions prior to 3.3.3, upgrade to version 3.3.3 or later. For Red Hat build of Quarkus versions prior to 2.13.8.SP2, upgrade to version 2.13.8.SP2 or later.

Exploit

Correção

Incorrect Authorization

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-275CWE-148CWE-863

Identificadores relacionados

BDU:2023-05461

CVE-2023-4853

GHSA-4F4R-WGV2-JJVG

RHSA-2023:5479

Produtos afetados

Quarkus

PT-2023-4947 · Red Hat · Quarkus

CVE-2023-4853

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 31