Ecosyste.ms: Advisories

Security Advisories: GSA_kwCzR0hTQS02aGM5LWNmOHgtaGY4M84AA2O5

Quarkus OIDC can leak both ID and access tokens

A flaw was found in Quarkus. Quarkus OIDC can leak both ID and access tokens in the authorization code flow when an insecure HTTP protocol is used, which can allow attackers to access sensitive user data directly from the ID token or by using the access token to access user data from OIDC provider services. Please note that passwords are not stored in access tokens.

Permalink: https://github.com/advisories/GHSA-6hc9-cf8x-hf83
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS02aGM5LWNmOHgtaGY4M84AA2O5
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: 7 months ago
Updated: 7 days ago

CVSS Score: 7.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Identifiers: GHSA-6hc9-cf8x-hf83, CVE-2023-1584
References:

• https://nvd.nist.gov/vuln/detail/CVE-2023-1584
• https://github.com/quarkusio/quarkus/pull/32192
• https://github.com/quarkusio/quarkus/pull/33414
• https://access.redhat.com/errata/RHSA-2023:3809
• https://access.redhat.com/security/cve/CVE-2023-1584
• https://bugzilla.redhat.com/show_bug.cgi?id=2180886
• https://github.com/quarkusio/quarkus/pull/32192/commits/5369d7ff233d3afe84ecd9160c541fba52b38e69
• https://github.com/quarkusio/quarkus/pull/33414/commits/df305ff12386cf28b33567b8d9a18db164f019dd
• https://github.com/quarkusio/quarkus/commit/5369d7ff233d3afe84ecd9160c541fba52b38e69
• https://github.com/quarkusio/quarkus/commit/df305ff12386cf28b33567b8d9a18db164f019dd
• https://access.redhat.com/errata/RHSA-2023:7653
• https://github.com/advisories/GHSA-6hc9-cf8x-hf83

Repository: https://github.com/quarkusio/quarkus
Blast Radius: 20.2

Affected Packages