CVSS: 8.1EPSS: 0%CPEs: 18EXPL: 1CVE-2023-4853 – Quarkus: http security policy bypass
https://notcve.org/view.php?id=CVE-2023-4853
A flaw was found in Quarkus where HTTP security policies are not sanitizing certain character permutations correctly when accepting requests, resulting in incorrect evaluation of permissions. This issue could allow an attacker to bypass the security policy altogether, resulting in unauthorized endpoint access and possibly a denial of service. Se encontró una falla en Quarkus donde las políticas de seguridad HTTP no sanitiza correctamente ciertas permutaciones de caracteres al aceptar solicitudes, lo que resulta en una evaluación incorrecta de los permisos. Este problema podría permitir que un atacante eluda la política de seguridad por completo, lo que resultaría en un acceso no autorizado al endpoint y posiblemente una Denegación de Servicio. • https://access.redhat.com/errata/RHSA-2023:5170 https://access.redhat.com/errata/RHSA-2023:5310 https://access.redhat.com/errata/RHSA-2023:5337 https://access.redhat.com/errata/RHSA-2023:5446 https://access.redhat.com/errata/RHSA-2023:5479 https://access.redhat.com/errata/RHSA-2023:5480 https://access.redhat.com/errata/RHSA-2023:6107 https://access.redhat.com/errata/RHSA-2023:6112 https://access.redhat.com/errata/RHSA-2023:7653 https://access.redhat.com/security/cve&# • CWE-148: Improper Neutralization of Input Leaders CWE-863: Incorrect Authorization •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2021-3703 – serverless: incomplete fix for CVE-2021-27918 / CVE-2021-31525 / CVE-2021-33196
https://notcve.org/view.php?id=CVE-2021-3703
It was found that the CVE-2021-27918, CVE-2021-31525 and CVE-2021-33196 have been incorrectly mentioned as fixed in RHSA for Serverless 1.16.0 and Serverless client kn 1.16.0. These have been fixed with Serverless 1.17.0. Se ha detectado que las vulnerabilidades CVE-2021-27918, CVE-2021-31525 y CVE-2021-33196 se han mencionado incorrectamente como corregidas en RHSA para Serverless versión 1.16.0 y Serverless client kn versión 1.16.0. Estos han sido corregidos con Serverless versión 1.17.0. CVE-2021-27918, CVE-2021-31525 and CVE-2021-33196 have been incorrectly mentioned as fixed for Serverless 1.16.0 and Serverless client kn 1.16.0. • https://access.redhat.com/security/cve/CVE-2021-3703 https://bugzilla.redhat.com/show_bug.cgi?id=1992955 •