CVE-2023-4853
Quarkus: http security policy bypass
Severity Score
8.1
*CVSS v3.1
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
1
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
-
*SSVC
Descriptions
A flaw was found in Quarkus where HTTP security policies are not sanitizing certain character permutations correctly when accepting requests, resulting in incorrect evaluation of permissions. This issue could allow an attacker to bypass the security policy altogether, resulting in unauthorized endpoint access and possibly a denial of service.
Se encontró una falla en Quarkus donde las políticas de seguridad HTTP no sanitiza correctamente ciertas permutaciones de caracteres al aceptar solicitudes, lo que resulta en una evaluación incorrecta de los permisos. Este problema podría permitir que un atacante eluda la política de seguridad por completo, lo que resultaría en un acceso no autorizado al endpoint y posiblemente una Denegación de Servicio.
*Credits:
N/A
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:-
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2023-09-08 CVE Reserved
- 2023-09-15 CVE Published
- 2024-10-21 CVE Updated
- 2024-10-21 First Exploit
- 2024-10-22 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-148: Improper Neutralization of Input Leaders
- CWE-863: Incorrect Authorization
CAPEC
References (12)
| URL | Tag | Source |
|---|
| URL | Date | SRC |
|---|---|---|
| https://access.redhat.com/security/vulnerabilities/RHSB-2023-002 | 2024-10-21 |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://access.redhat.com/errata/RHSA-2023:5170 | 2023-12-21 | |
| https://access.redhat.com/errata/RHSA-2023:5310 | 2023-12-21 | |
| https://access.redhat.com/errata/RHSA-2023:5337 | 2023-12-21 | |
| https://access.redhat.com/errata/RHSA-2023:5446 | 2023-12-21 | |
| https://access.redhat.com/errata/RHSA-2023:5479 | 2023-12-21 | |
| https://access.redhat.com/errata/RHSA-2023:5480 | 2023-12-21 | |
| https://access.redhat.com/errata/RHSA-2023:6107 | 2023-12-21 | |
| https://access.redhat.com/errata/RHSA-2023:6112 | 2023-12-21 | |
| https://access.redhat.com/errata/RHSA-2023:7653 | 2023-12-21 | |
| https://access.redhat.com/security/cve/CVE-2023-4853 | 2023-12-05 | |
| https://bugzilla.redhat.com/show_bug.cgi?id=2238034 | 2023-12-05 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Redhat Search vendor "Redhat" | Openshift Container Platform Search vendor "Redhat" for product "Openshift Container Platform" | 4.10 Search vendor "Redhat" for product "Openshift Container Platform" and version "4.10" | - |
Affected
| in | Redhat Search vendor "Redhat" | Enterprise Linux Search vendor "Redhat" for product "Enterprise Linux" | 8.0 Search vendor "Redhat" for product "Enterprise Linux" and version "8.0" | - |
Safe
|
| Redhat Search vendor "Redhat" | Openshift Container Platform Search vendor "Redhat" for product "Openshift Container Platform" | 4.11 Search vendor "Redhat" for product "Openshift Container Platform" and version "4.11" | - |
Affected
| in | Redhat Search vendor "Redhat" | Enterprise Linux Search vendor "Redhat" for product "Enterprise Linux" | 8.0 Search vendor "Redhat" for product "Enterprise Linux" and version "8.0" | - |
Safe
|
| Redhat Search vendor "Redhat" | Openshift Container Platform Search vendor "Redhat" for product "Openshift Container Platform" | 4.12 Search vendor "Redhat" for product "Openshift Container Platform" and version "4.12" | - |
Affected
| in | Redhat Search vendor "Redhat" | Enterprise Linux Search vendor "Redhat" for product "Enterprise Linux" | 8.0 Search vendor "Redhat" for product "Enterprise Linux" and version "8.0" | - |
Safe
|
| Quarkus Search vendor "Quarkus" | Quarkus Search vendor "Quarkus" for product "Quarkus" | < 2.16.11 Search vendor "Quarkus" for product "Quarkus" and version " < 2.16.11" | - |
Affected
| ||||||
| Quarkus Search vendor "Quarkus" | Quarkus Search vendor "Quarkus" for product "Quarkus" | >= 3.2.0 < 3.2.6 Search vendor "Quarkus" for product "Quarkus" and version " >= 3.2.0 < 3.2.6" | - |
Affected
| ||||||
| Quarkus Search vendor "Quarkus" | Quarkus Search vendor "Quarkus" for product "Quarkus" | >= 3.3.0 < 3.3.3 Search vendor "Quarkus" for product "Quarkus" and version " >= 3.3.0 < 3.3.3" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Build Of Optaplanner Search vendor "Redhat" for product "Build Of Optaplanner" | 8.0 Search vendor "Redhat" for product "Build Of Optaplanner" and version "8.0" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Build Of Quarkus Search vendor "Redhat" for product "Build Of Quarkus" | >= 2.13.0 < 2.13.8 Search vendor "Redhat" for product "Build Of Quarkus" and version " >= 2.13.0 < 2.13.8" | text-only |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Decision Manager Search vendor "Redhat" for product "Decision Manager" | 7.0 Search vendor "Redhat" for product "Decision Manager" and version "7.0" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Integration Camel K Search vendor "Redhat" for product "Integration Camel K" | < 1.10.2 Search vendor "Redhat" for product "Integration Camel K" and version " < 1.10.2" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Integration Camel Quarkus Search vendor "Redhat" for product "Integration Camel Quarkus" | - | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Integration Service Registry Search vendor "Redhat" for product "Integration Service Registry" | - | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Jboss Middleware Search vendor "Redhat" for product "Jboss Middleware" | 1 Search vendor "Redhat" for product "Jboss Middleware" and version "1" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Jboss Middleware Text-only Advisories Search vendor "Redhat" for product "Jboss Middleware Text-only Advisories" | 1.0 Search vendor "Redhat" for product "Jboss Middleware Text-only Advisories" and version "1.0" | middleware |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Openshift Serverless Search vendor "Redhat" for product "Openshift Serverless" | - | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Openshift Serverless Search vendor "Redhat" for product "Openshift Serverless" | 1.0 Search vendor "Redhat" for product "Openshift Serverless" and version "1.0" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Process Automation Manager Search vendor "Redhat" for product "Process Automation Manager" | 7.0 Search vendor "Redhat" for product "Process Automation Manager" and version "7.0" | - |
Affected
| ||||||