Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS00ZjRyLXdndjItamp2Z84AA19i
Quarkus HTTP vulnerable to incorrect evaluation of permissions
A flaw was found in Quarkus where HTTP security policies are not sanitizing certain character permutations correctly when accepting requests, resulting in incorrect evaluation of permissions. This issue could allow an attacker to bypass the security policy altogether, resulting in unauthorized endpoint access and possibly a denial of service.
Permalink: https://github.com/advisories/GHSA-4f4r-wgv2-jjvgJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS00ZjRyLXdndjItamp2Z84AA19i
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: 8 months ago
Updated: 5 months ago
CVSS Score: 8.1
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Identifiers: GHSA-4f4r-wgv2-jjvg, CVE-2023-4853
References:
- https://nvd.nist.gov/vuln/detail/CVE-2023-4853
- https://access.redhat.com/errata/RHSA-2023:5170
- https://access.redhat.com/errata/RHSA-2023:5310
- https://access.redhat.com/security/cve/CVE-2023-4853
- https://access.redhat.com/security/vulnerabilities/RHSB-2023-002
- https://bugzilla.redhat.com/show_bug.cgi?id=2238034
- https://github.com/quarkusio/quarkus/issues/35785
- https://access.redhat.com/errata/RHSA-2023:5337
- https://github.com/quarkusio/quarkus/discussions/35940
- https://access.redhat.com/errata/RHSA-2023:5446
- https://access.redhat.com/errata/RHSA-2023:5479
- https://access.redhat.com/errata/RHSA-2023:5480
- https://access.redhat.com/articles/11258
- https://access.redhat.com/errata/RHSA-2023:6107
- https://access.redhat.com/errata/RHSA-2023:6112
- https://access.redhat.com/errata/RHSA-2023:7653
- https://github.com/advisories/GHSA-4f4r-wgv2-jjvg
Blast Radius: 21.5
Affected Packages
maven:io.quarkus:quarkus-keycloak-authorization
Dependent packages: 12Dependent repositories: 239
Downloads:
Affected Version Ranges: >= 3.3.0, < 3.3.3, >= 3.0.0, < 3.2.6.Final, < 2.16.11.Final
Fixed in: 3.3.3, 3.2.6.Final, 2.16.11.Final
All affected versions: 0.27.0, 0.28.0, 0.28.1, 2.16.1-0.Final, 3.3.0, 3.3.1, 3.3.2, 3.3.3, 3.4.0, 3.4.1, 3.4.2, 3.4.3, 3.5.0, 3.5.1, 3.5.2, 3.5.3, 3.6.0, 3.6.1, 3.6.2, 3.6.3, 3.6.4, 3.6.5, 3.6.6, 3.6.7, 3.6.8, 3.6.9, 3.7.0, 3.7.1, 3.7.2, 3.7.3, 3.7.4, 3.8.0, 3.8.1, 3.8.2, 3.8.3, 3.8.4, 3.9.0, 3.9.1, 3.9.2, 3.9.3, 3.9.4, 3.9.5, 3.10.0
All unaffected versions:
maven:io.quarkus:quarkus-csrf-reactive
Dependent packages: 5Dependent repositories: 51
Downloads:
Affected Version Ranges: >= 3.3.0, < 3.3.3, >= 3.0.0, < 3.2.6.Final, < 2.16.11.Final
Fixed in: 3.3.3, 3.2.6.Final, 2.16.11.Final
All affected versions: 2.16.1-0.Final, 3.3.0, 3.3.1, 3.3.2, 3.3.3, 3.4.0, 3.4.1, 3.4.2, 3.4.3, 3.5.0, 3.5.1, 3.5.2, 3.5.3, 3.6.0, 3.6.1, 3.6.2, 3.6.3, 3.6.4, 3.6.5, 3.6.6, 3.6.7, 3.6.8, 3.6.9, 3.7.0, 3.7.1, 3.7.2, 3.7.3, 3.7.4, 3.8.0, 3.8.1, 3.8.2, 3.8.3, 3.9.0, 3.9.1, 3.9.2, 3.9.3
All unaffected versions:
maven:io.quarkus:quarkus-undertow
Dependent packages: 72Dependent repositories: 449
Downloads:
Affected Version Ranges: >= 3.3.0, < 3.3.3, >= 3.0.0, < 3.2.6.Final, < 2.16.11.Final
Fixed in: 3.3.3, 3.2.6.Final, 2.16.11.Final
All affected versions: 0.11.0, 0.12.0, 0.13.0, 0.13.1, 0.13.2, 0.13.3, 0.14.0, 0.15.0, 0.16.0, 0.16.1, 0.17.0, 0.18.0, 0.19.0, 0.19.1, 0.20.0, 0.21.0, 0.21.1, 0.21.2, 0.22.0, 0.23.0, 0.23.1, 0.23.2, 0.24.0, 0.25.0, 0.26.0, 0.26.1, 0.27.0, 0.28.0, 0.28.1, 2.16.1-0.Final, 3.3.0, 3.3.1, 3.3.2, 3.3.3, 3.4.0, 3.4.1, 3.4.2, 3.4.3, 3.5.0, 3.5.1, 3.5.2, 3.5.3, 3.6.0, 3.6.1, 3.6.2, 3.6.3, 3.6.4, 3.6.5, 3.6.6, 3.6.7, 3.6.8, 3.6.9, 3.7.0, 3.7.1, 3.7.2, 3.7.3, 3.7.4, 3.8.0, 3.8.1, 3.8.2, 3.8.3, 3.8.4, 3.9.0, 3.9.1, 3.9.2, 3.9.3, 3.9.4, 3.9.5, 3.10.0
All unaffected versions:
maven:io.quarkus:quarkus-vertx-http
Dependent packages: 91Dependent repositories: 185
Downloads:
Affected Version Ranges: >= 3.3.0, < 3.3.3, >= 3.0.0, < 3.2.6.Final, < 2.16.11.Final
Fixed in: 3.3.3, 3.2.6.Final, 2.16.11.Final
All affected versions: 0.23.0, 0.23.1, 0.23.2, 0.24.0, 0.25.0, 0.26.0, 0.26.1, 0.27.0, 0.28.0, 0.28.1, 2.16.1-0.Final, 3.3.0, 3.3.1, 3.3.2, 3.3.3, 3.4.0, 3.4.1, 3.4.2, 3.4.3, 3.5.0, 3.5.1, 3.5.2, 3.5.3, 3.6.0, 3.6.1, 3.6.2, 3.6.3, 3.6.4, 3.6.5, 3.6.6, 3.6.7, 3.6.8, 3.6.9, 3.7.0, 3.7.1, 3.7.2, 3.7.3, 3.7.4, 3.8.0, 3.8.1, 3.8.2, 3.8.3, 3.8.4, 3.9.0, 3.9.1, 3.9.2, 3.9.3, 3.9.4, 3.9.5, 3.10.0
All unaffected versions: