CVE-2023-4853

CWE-148CWE-863Incorrect Authorization5 documents5 sources
Severity
8.1HIGH
EPSS
0.5%
top 36.17%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
10
Quarkus QuarkusRedhat Build OF QuarkusRedhat Integration Camel K+7 more
Timeline
PublishedSep 20

Description

A flaw was found in Quarkus where HTTP security policies are not sanitizing certain character permutations correctly when accepting requests, resulting in incorrect evaluation of permissions. This issue could allow an attacker to bypass the security policy altogether, resulting in unauthorized endpoint access and possibly a denial of service.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 2.2 | Impact: 5.9

Affected Packages13 packages

Mavenio.quarkus:quarkus-vertx-http3.0.03.2.6.Final+2
NVDquarkus/quarkus3.2.03.2.6+2
NVDredhat/build_of_quarkus2.13.02.13.8
Mavenio.quarkus:quarkus-undertow3.0.03.2.6.Final+2
Mavenio.quarkus:quarkus-csrf-reactive3.0.03.2.6.Final+2

Also affects: Openshift Container Platform 4.10, 4.11, 4.12

🔴Vulnerability Details

3
GHSA
Quarkus HTTP vulnerable to incorrect evaluation of permissions2023-09-20
OSV
Quarkus HTTP vulnerable to incorrect evaluation of permissions2023-09-20
CVEList
Quarkus: http security policy bypass2023-09-20

📋Vendor Advisories

1
Red Hat
quarkus: HTTP security policy bypass2023-09-08
CVE-2023-4853 (HIGH CVSS 8.1) | A flaw was found in Quarkus where H | cvebase.io