PT-2023-4947 · Red Hat · Quarkus
Chess Hazlett
·
Published
2023-09-08
·
Updated
2023-12-21
·
CVE-2023-4853
CVSS v3.1
8.1
High
| Vector | AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Quarkus versions prior to 2.6.11
Quarkus versions prior to 3.2.6
Quarkus versions prior to 3.3.3
Red Hat build of Quarkus versions prior to 2.13.8.SP2
Description
A flaw was found in Quarkus where HTTP security policies are not sanitizing certain character permutations correctly when accepting requests, resulting in incorrect evaluation of permissions. This issue could allow an attacker to bypass the security policy altogether, resulting in unauthorized endpoint access and possibly a denial of service.
Recommendations
For Quarkus versions prior to 2.6.11, upgrade to version 2.6.11 or later.
For Quarkus versions prior to 3.2.6, upgrade to version 3.2.6 or later.
For Quarkus versions prior to 3.3.3, upgrade to version 3.3.3 or later.
For Red Hat build of Quarkus versions prior to 2.13.8.SP2, upgrade to version 2.13.8.SP2 or later.
Exploit
Fix
Incorrect Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Quarkus