CVE-2023-1584

Quarkus-oidc: id and access tokens leak via the authorization code flow

Severity Score

7.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

A flaw was found in Quarkus. Quarkus OIDC can leak both ID and access tokens in the authorization code flow when an insecure HTTP protocol is used, which can allow attackers to access sensitive user data directly from the ID token or by using the access token to access user data from OIDC provider services. Please note that passwords are not stored in access tokens.

Se encontró un defecto en Quarkus. Quarkus OIDC puede filtrar tanto ID como tokens de acceso en el flujo del código de autorización cuando se utiliza un protocolo HTTP inseguro, lo que puede permitir a los atacantes acceder a datos confidenciales del usuario directamente desde el token de ID o utilizando el token de acceso para acceder a los datos del usuario desde los servicios del proveedor OIDC. . Tenga en cuenta que las contraseñas no se almacenan en tokens de acceso.

An update to the images for Red Hat Integration - Service Registry is now available from the Red Hat Container Catalog. The purpose of this text-only errata is to inform you about the security issues fixed in this release. Issues addressed include bypass and denial of service vulnerabilities.

*Credits: This issue was discovered by Paulo Lopes (Red Hat).

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

Complete

Integrity

None

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2023-03-22 CVE Reserved
2023-06-30 CVE Published
2024-08-02 CVE Updated
2025-03-30 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-200: Exposure of Sensitive Information to an Unauthorized Actor

CAPEC

References (6)

URL	Tag	Source

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
https://access.redhat.com/errata/RHSA-2023:3809	2024-05-03
https://access.redhat.com/errata/RHSA-2023:7653	2024-05-03
https://access.redhat.com/security/cve/CVE-2023-1584	2023-12-05
https://bugzilla.redhat.com/show_bug.cgi?id=2180886	2023-12-05
https://github.com/quarkusio/quarkus/pull/32192	2024-05-03
https://github.com/quarkusio/quarkus/pull/33414	2024-05-03

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Quarkus Search vendor "Quarkus"		Quarkus Search vendor "Quarkus" for product "Quarkus"				< 2.13.8 Search vendor "Quarkus" for product "Quarkus" and version " < 2.13.8"		-		Affected