CVE-2023-4853

A flaw was found in Quarkus where HTTP security policies are not sanitizing certain character permutations correctly when accepting requests, resulting in incorrect evaluation of permissions. This issue could allow an attacker to bypass the security policy altogether, resulting in unauthorized endpoint access and possibly a denial of service.

Published: Sep 20, 2023
Updated: May 9, 2024
CVE: CVE-2023-4853
GHSA: GHSA-4f4r-wgv2-jjvg
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 8.1
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CWEs:

Affected Software
References

Software	From	Fixed in
io.quarkus / quarkus-vertx-http	-	2.16.11.Final
io.quarkus / quarkus-vertx-http	3.0.0	3.2.6.Final
io.quarkus / quarkus-vertx-http	3.3.0	3.3.3
io.quarkus / quarkus-undertow	-	2.16.11.Final
io.quarkus / quarkus-undertow	3.0.0	3.2.6.Final
io.quarkus / quarkus-undertow	3.3.0	3.3.3
io.quarkus / quarkus-csrf-reactive	-	2.16.11.Final
io.quarkus / quarkus-csrf-reactive	3.0.0	3.2.6.Final
io.quarkus / quarkus-csrf-reactive	3.3.0	3.3.3
io.quarkus / quarkus-keycloak-authorization	-	2.16.11.Final
io.quarkus / quarkus-keycloak-authorization	3.0.0	3.2.6.Final
io.quarkus / quarkus-keycloak-authorization	3.3.0	3.3.3
quarkus / quarkus	3.3.0	3.3.3
quarkus / quarkus	3.2.0	3.2.6
quarkus / quarkus	-	2.16.11
redhat / decision_manager	7.0	7.0.x
redhat / build_of_quarkus	2.13.0	2.13.8
redhat / integration_camel_k	-	1.10.2
redhat / process_automation_manager	7.0	7.0.x
redhat / build_of_optaplanner	8.0	8.0.x
redhat / jboss_middleware	1	1.x
redhat / openshift_serverless	1.0	1.0.x
redhat / jboss_middleware_text-only_advisories	1.0	1.0.x
redhat / openshift_container_platform	4.10	4.10.x
redhat / openshift_container_platform	4.11	4.11.x
redhat / openshift_container_platform	4.12	4.12.x

Vulnerability Database

289,571

CVE-2023-4853