CVE-2023-4853
20.09.2023, 10:15
A flaw was found in Quarkus where HTTP security policies are not sanitizing certain character permutations correctly when accepting requests, resulting in incorrect evaluation of permissions. This issue could allow an attacker to bypass the security policy altogether, resulting in unauthorized endpoint access and possibly a denial of service.Enginsight
Affected Products (NVD)
| Vendor | Product | Version |
|---|---|---|
| quarkus | quarkus | 𝑥 < 2.16.11 |
| quarkus | quarkus | 3.2.0 ≤ 𝑥 < 3.2.6 |
| quarkus | quarkus | 3.3.0 ≤ 𝑥 < 3.3.3 |
| redhat | build_of_optaplanner | 8.0 |
| redhat | build_of_quarkus | 2.13.0 ≤ 𝑥 < 2.13.8 |
| redhat | decision_manager | 7.0 |
| redhat | integration_camel_k | 𝑥 < 1.10.2 |
| redhat | integration_camel_quarkus | - |
| redhat | integration_service_registry | - |
| redhat | jboss_middleware_text-only_advisories | 1.0 |
| redhat | openshift_serverless | - |
| redhat | openshift_serverless | 1.0 |
| redhat | process_automation_manager | 7.0 |
| redhat | openshift_container_platform | 4.10 |
| redhat | openshift_container_platform | 4.11 |
| redhat | openshift_container_platform | 4.12 |
𝑥
= Vulnerable software versions
Common Weakness Enumeration
- CWE-148 - Improper Neutralization of Input LeadersThe application does not properly handle when a leading character or sequence ("leader") is missing or malformed, or if multiple leaders are used when only one should be allowed.
- CWE-863 - Incorrect AuthorizationThe software performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.
References