// For flags

CVE-2023-4853

Quarkus: http security policy bypass

Severity Score

8.1
*CVSS v3.1

Exploit Likelihood

4.5%
*EPSS

Affected Versions

17
*CPE

Public Exploits

1
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

A flaw was found in Quarkus where HTTP security policies are not sanitizing certain character permutations correctly when accepting requests, resulting in incorrect evaluation of permissions. This issue could allow an attacker to bypass the security policy altogether, resulting in unauthorized endpoint access and possibly a denial of service.

Se encontró una falla en Quarkus donde las políticas de seguridad HTTP no sanitiza correctamente ciertas permutaciones de caracteres al aceptar solicitudes, lo que resulta en una evaluación incorrecta de los permisos. Este problema podría permitir que un atacante eluda la política de seguridad por completo, lo que resultaría en un acceso no autorizado al endpoint y posiblemente una Denegación de Servicio.

Red Hat OpenShift Serverless Client kn 1.30.1 provides a CLI to interact with Red Hat OpenShift Serverless 1.30.1. The kn CLI is delivered as an RPM package for installation on RHEL platforms, and as binaries for non-Linux platforms. This release includes security and bug fixes, and enhancements. Issues addressed include a bypass vulnerability.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Attack Vector
Network
Attack Complexity
High
Authentication
None
Confidentiality
Complete
Integrity
Complete
Availability
Complete
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2023-09-08 CVE Reserved
  • 2023-09-15 CVE Published
  • 2024-11-23 CVE Updated
  • 2024-11-23 First Exploit
  • 2025-03-30 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
CWE
  • CWE-148: Improper Neutralization of Input Leaders
  • CWE-863: Incorrect Authorization
CAPEC
Affected Vendors, Products, and Versions (17)