Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS00ZjRyLXdndjItamp2Z84AA19i
Quarkus HTTP vulnerable to incorrect evaluation of permissions
A flaw was found in Quarkus where HTTP security policies are not sanitizing certain character permutations correctly when accepting requests, resulting in incorrect evaluation of permissions. This issue could allow an attacker to bypass the security policy altogether, resulting in unauthorized endpoint access and possibly a denial of service.
Permalink: https://github.com/advisories/GHSA-4f4r-wgv2-jjvgJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS00ZjRyLXdndjItamp2Z84AA19i
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 1 year ago
Updated: about 1 year ago
CVSS Score: 8.1
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Percentage: 0.00576
EPSS Percentile: 0.78022
Identifiers: GHSA-4f4r-wgv2-jjvg, CVE-2023-4853
References:
- https://nvd.nist.gov/vuln/detail/CVE-2023-4853
- https://access.redhat.com/errata/RHSA-2023:5170
- https://access.redhat.com/errata/RHSA-2023:5310
- https://access.redhat.com/security/cve/CVE-2023-4853
- https://access.redhat.com/security/vulnerabilities/RHSB-2023-002
- https://bugzilla.redhat.com/show_bug.cgi?id=2238034
- https://github.com/quarkusio/quarkus/issues/35785
- https://access.redhat.com/errata/RHSA-2023:5337
- https://github.com/quarkusio/quarkus/discussions/35940
- https://access.redhat.com/errata/RHSA-2023:5446
- https://access.redhat.com/errata/RHSA-2023:5479
- https://access.redhat.com/errata/RHSA-2023:5480
- https://access.redhat.com/articles/11258
- https://access.redhat.com/errata/RHSA-2023:6107
- https://access.redhat.com/errata/RHSA-2023:6112
- https://access.redhat.com/errata/RHSA-2023:7653
- https://github.com/advisories/GHSA-4f4r-wgv2-jjvg
Blast Radius: 21.5
Affected Packages
maven:io.quarkus:quarkus-keycloak-authorization
Dependent packages: 12Dependent repositories: 239
Downloads:
Affected Version Ranges: >= 3.3.0, < 3.3.3, >= 3.0.0, < 3.2.6.Final, < 2.16.11.Final
Fixed in: 3.3.3, 3.2.6.Final, 2.16.11.Final
All affected versions: 0.27.0, 0.28.0, 0.28.1, 2.16.1-0.Final, 3.3.0, 3.3.1, 3.3.2, 3.3.3, 3.4.0, 3.4.1, 3.4.2, 3.4.3, 3.5.0, 3.5.1, 3.5.2, 3.5.3, 3.6.0, 3.6.1, 3.6.2, 3.6.3, 3.6.4, 3.6.5, 3.6.6, 3.6.7, 3.6.8, 3.6.9, 3.7.0, 3.7.1, 3.7.2, 3.7.3, 3.7.4, 3.8.0, 3.8.1, 3.8.2, 3.8.3, 3.8.4, 3.8.5, 3.8.6, 3.9.0, 3.9.1, 3.9.2, 3.9.3, 3.9.4, 3.9.5, 3.10.0, 3.10.1, 3.10.2, 3.11.0, 3.11.1, 3.11.2, 3.11.3, 3.12.0, 3.12.1, 3.12.2, 3.12.3, 3.13.0, 3.13.1, 3.13.2, 3.13.3, 3.14.0, 3.14.1, 3.14.2, 3.14.3, 3.14.4, 3.15.0, 3.15.1, 3.15.2, 3.15.3, 3.16.0, 3.16.1, 3.16.2, 3.16.3, 3.16.4, 3.17.0, 3.17.1, 3.17.2, 3.17.3, 3.17.4, 3.17.5, 3.17.6, 3.17.7, 3.17.8, 3.18.0
All unaffected versions:
maven:io.quarkus:quarkus-csrf-reactive
Dependent packages: 5Dependent repositories: 51
Downloads:
Affected Version Ranges: >= 3.3.0, < 3.3.3, >= 3.0.0, < 3.2.6.Final, < 2.16.11.Final
Fixed in: 3.3.3, 3.2.6.Final, 2.16.11.Final
All affected versions: 2.16.1-0.Final, 3.3.0, 3.3.1, 3.3.2, 3.3.3, 3.4.0, 3.4.1, 3.4.2, 3.4.3, 3.5.0, 3.5.1, 3.5.2, 3.5.3, 3.6.0, 3.6.1, 3.6.2, 3.6.3, 3.6.4, 3.6.5, 3.6.6, 3.6.7, 3.6.8, 3.6.9, 3.7.0, 3.7.1, 3.7.2, 3.7.3, 3.7.4, 3.8.0, 3.8.1, 3.8.2, 3.8.3, 3.8.4, 3.8.5, 3.8.6, 3.9.0, 3.9.1, 3.9.2, 3.9.3, 3.9.4, 3.9.5, 3.10.0, 3.10.1, 3.10.2, 3.11.0, 3.11.1, 3.11.2, 3.11.3, 3.12.0, 3.12.1, 3.12.2, 3.12.3, 3.13.0, 3.13.1, 3.13.2, 3.13.3, 3.14.0, 3.14.1, 3.14.2, 3.14.3, 3.14.4, 3.15.0, 3.15.1, 3.15.2
All unaffected versions:
maven:io.quarkus:quarkus-undertow
Dependent packages: 72Dependent repositories: 449
Downloads:
Affected Version Ranges: >= 3.3.0, < 3.3.3, >= 3.0.0, < 3.2.6.Final, < 2.16.11.Final
Fixed in: 3.3.3, 3.2.6.Final, 2.16.11.Final
All affected versions: 0.11.0, 0.12.0, 0.13.0, 0.13.1, 0.13.2, 0.13.3, 0.14.0, 0.15.0, 0.16.0, 0.16.1, 0.17.0, 0.18.0, 0.19.0, 0.19.1, 0.20.0, 0.21.0, 0.21.1, 0.21.2, 0.22.0, 0.23.0, 0.23.1, 0.23.2, 0.24.0, 0.25.0, 0.26.0, 0.26.1, 0.27.0, 0.28.0, 0.28.1, 2.16.1-0.Final, 3.3.0, 3.3.1, 3.3.2, 3.3.3, 3.4.0, 3.4.1, 3.4.2, 3.4.3, 3.5.0, 3.5.1, 3.5.2, 3.5.3, 3.6.0, 3.6.1, 3.6.2, 3.6.3, 3.6.4, 3.6.5, 3.6.6, 3.6.7, 3.6.8, 3.6.9, 3.7.0, 3.7.1, 3.7.2, 3.7.3, 3.7.4, 3.8.0, 3.8.1, 3.8.2, 3.8.3, 3.8.4, 3.8.5, 3.8.6, 3.9.0, 3.9.1, 3.9.2, 3.9.3, 3.9.4, 3.9.5, 3.10.0, 3.10.1, 3.10.2, 3.11.0, 3.11.1, 3.11.2, 3.11.3, 3.12.0, 3.12.1, 3.12.2, 3.12.3, 3.13.0, 3.13.1, 3.13.2, 3.13.3, 3.14.0, 3.14.1, 3.14.2, 3.14.3, 3.14.4, 3.15.0, 3.15.1, 3.15.2, 3.16.0, 3.16.1, 3.16.2, 3.16.3, 3.16.4, 3.17.0, 3.17.1, 3.17.2
All unaffected versions:
maven:io.quarkus:quarkus-vertx-http
Dependent packages: 91Dependent repositories: 185
Downloads:
Affected Version Ranges: >= 3.3.0, < 3.3.3, >= 3.0.0, < 3.2.6.Final, < 2.16.11.Final
Fixed in: 3.3.3, 3.2.6.Final, 2.16.11.Final
All affected versions: 0.23.0, 0.23.1, 0.23.2, 0.24.0, 0.25.0, 0.26.0, 0.26.1, 0.27.0, 0.28.0, 0.28.1, 2.16.1-0.Final, 3.3.0, 3.3.1, 3.3.2, 3.3.3, 3.4.0, 3.4.1, 3.4.2, 3.4.3, 3.5.0, 3.5.1, 3.5.2, 3.5.3, 3.6.0, 3.6.1, 3.6.2, 3.6.3, 3.6.4, 3.6.5, 3.6.6, 3.6.7, 3.6.8, 3.6.9, 3.7.0, 3.7.1, 3.7.2, 3.7.3, 3.7.4, 3.8.0, 3.8.1, 3.8.2, 3.8.3, 3.8.4, 3.8.5, 3.8.6, 3.9.0, 3.9.1, 3.9.2, 3.9.3, 3.9.4, 3.9.5, 3.10.0, 3.10.1, 3.10.2, 3.11.0, 3.11.1, 3.11.2, 3.11.3, 3.12.0, 3.12.1, 3.12.2, 3.12.3, 3.13.0, 3.13.1, 3.13.2, 3.13.3, 3.14.0, 3.14.1, 3.14.2, 3.14.3, 3.14.4, 3.15.0, 3.15.1, 3.15.2, 3.15.3, 3.16.0, 3.16.1, 3.16.2, 3.16.3, 3.16.4, 3.17.0, 3.17.1, 3.17.2, 3.17.3, 3.17.4, 3.17.5, 3.17.6, 3.17.7, 3.17.8, 3.18.0
All unaffected versions: