Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS00ZjRyLXdndjItamp2Z84AA19i

Quarkus HTTP vulnerable to incorrect evaluation of permissions

A flaw was found in Quarkus where HTTP security policies are not sanitizing certain character permutations correctly when accepting requests, resulting in incorrect evaluation of permissions. This issue could allow an attacker to bypass the security policy altogether, resulting in unauthorized endpoint access and possibly a denial of service.

Permalink: https://github.com/advisories/GHSA-4f4r-wgv2-jjvg
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS00ZjRyLXdndjItamp2Z84AA19i
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: 8 months ago
Updated: 5 months ago


CVSS Score: 8.1
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Identifiers: GHSA-4f4r-wgv2-jjvg, CVE-2023-4853
References: Repository: https://github.com/quarkusio/quarkus
Blast Radius: 21.5

Affected Packages

maven:io.quarkus:quarkus-keycloak-authorization
Dependent packages: 12
Dependent repositories: 239
Downloads:
Affected Version Ranges: >= 3.3.0, < 3.3.3, >= 3.0.0, < 3.2.6.Final, < 2.16.11.Final
Fixed in: 3.3.3, 3.2.6.Final, 2.16.11.Final
All affected versions: 0.27.0, 0.28.0, 0.28.1, 2.16.1-0.Final, 3.3.0, 3.3.1, 3.3.2, 3.3.3, 3.4.0, 3.4.1, 3.4.2, 3.4.3, 3.5.0, 3.5.1, 3.5.2, 3.5.3, 3.6.0, 3.6.1, 3.6.2, 3.6.3, 3.6.4, 3.6.5, 3.6.6, 3.6.7, 3.6.8, 3.6.9, 3.7.0, 3.7.1, 3.7.2, 3.7.3, 3.7.4, 3.8.0, 3.8.1, 3.8.2, 3.8.3, 3.8.4, 3.9.0, 3.9.1, 3.9.2, 3.9.3, 3.9.4, 3.9.5, 3.10.0
All unaffected versions:
maven:io.quarkus:quarkus-csrf-reactive
Dependent packages: 5
Dependent repositories: 51
Downloads:
Affected Version Ranges: >= 3.3.0, < 3.3.3, >= 3.0.0, < 3.2.6.Final, < 2.16.11.Final
Fixed in: 3.3.3, 3.2.6.Final, 2.16.11.Final
All affected versions: 2.16.1-0.Final, 3.3.0, 3.3.1, 3.3.2, 3.3.3, 3.4.0, 3.4.1, 3.4.2, 3.4.3, 3.5.0, 3.5.1, 3.5.2, 3.5.3, 3.6.0, 3.6.1, 3.6.2, 3.6.3, 3.6.4, 3.6.5, 3.6.6, 3.6.7, 3.6.8, 3.6.9, 3.7.0, 3.7.1, 3.7.2, 3.7.3, 3.7.4, 3.8.0, 3.8.1, 3.8.2, 3.8.3, 3.9.0, 3.9.1, 3.9.2, 3.9.3
All unaffected versions:
maven:io.quarkus:quarkus-undertow
Dependent packages: 72
Dependent repositories: 449
Downloads:
Affected Version Ranges: >= 3.3.0, < 3.3.3, >= 3.0.0, < 3.2.6.Final, < 2.16.11.Final
Fixed in: 3.3.3, 3.2.6.Final, 2.16.11.Final
All affected versions: 0.11.0, 0.12.0, 0.13.0, 0.13.1, 0.13.2, 0.13.3, 0.14.0, 0.15.0, 0.16.0, 0.16.1, 0.17.0, 0.18.0, 0.19.0, 0.19.1, 0.20.0, 0.21.0, 0.21.1, 0.21.2, 0.22.0, 0.23.0, 0.23.1, 0.23.2, 0.24.0, 0.25.0, 0.26.0, 0.26.1, 0.27.0, 0.28.0, 0.28.1, 2.16.1-0.Final, 3.3.0, 3.3.1, 3.3.2, 3.3.3, 3.4.0, 3.4.1, 3.4.2, 3.4.3, 3.5.0, 3.5.1, 3.5.2, 3.5.3, 3.6.0, 3.6.1, 3.6.2, 3.6.3, 3.6.4, 3.6.5, 3.6.6, 3.6.7, 3.6.8, 3.6.9, 3.7.0, 3.7.1, 3.7.2, 3.7.3, 3.7.4, 3.8.0, 3.8.1, 3.8.2, 3.8.3, 3.8.4, 3.9.0, 3.9.1, 3.9.2, 3.9.3, 3.9.4, 3.9.5, 3.10.0
All unaffected versions:
maven:io.quarkus:quarkus-vertx-http
Dependent packages: 91
Dependent repositories: 185
Downloads:
Affected Version Ranges: >= 3.3.0, < 3.3.3, >= 3.0.0, < 3.2.6.Final, < 2.16.11.Final
Fixed in: 3.3.3, 3.2.6.Final, 2.16.11.Final
All affected versions: 0.23.0, 0.23.1, 0.23.2, 0.24.0, 0.25.0, 0.26.0, 0.26.1, 0.27.0, 0.28.0, 0.28.1, 2.16.1-0.Final, 3.3.0, 3.3.1, 3.3.2, 3.3.3, 3.4.0, 3.4.1, 3.4.2, 3.4.3, 3.5.0, 3.5.1, 3.5.2, 3.5.3, 3.6.0, 3.6.1, 3.6.2, 3.6.3, 3.6.4, 3.6.5, 3.6.6, 3.6.7, 3.6.8, 3.6.9, 3.7.0, 3.7.1, 3.7.2, 3.7.3, 3.7.4, 3.8.0, 3.8.1, 3.8.2, 3.8.3, 3.8.4, 3.9.0, 3.9.1, 3.9.2, 3.9.3, 3.9.4, 3.9.5, 3.10.0
All unaffected versions: