CVE-2023-4853
Last modified
CVE-2023-4853 is a high-severity vulnerability rated 8.1/10 on the CVSS scale. A flaw was found in Quarkus where HTTP security policies are not sanitizing certain character permutations correctly when accepting requests, resulting in incorrect evaluation of permissions. This issue could allow an attacker to bypass the security policy altogether, resulting in unauthorized endpoint access and possibly a denial of service.. EPSS estimates a 1.21% chance of exploitation in the next 30 days.
Description
A flaw was found in Quarkus where HTTP security policies are not sanitizing certain character permutations correctly when accepting requests, resulting in incorrect evaluation of permissions. This issue could allow an attacker to bypass the security policy altogether, resulting in unauthorized endpoint access and possibly a denial of service.
Metrics
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Quarkus | Quarkus | < 2.16.11 |
| Quarkus | Quarkus | >= 3.2.0, < 3.2.6 |
| Quarkus | Quarkus | >= 3.3.0, < 3.3.3 |
| Redhat | Build Of Optaplanner | 8.0 |
| Redhat | Build Of Quarkus | >= 2.13.0, < 2.13.8 |
| Redhat | Decision Manager | 7.0 |
| Redhat | Integration Camel K | < 1.10.2 |
| Redhat | Integration Camel Quarkus | All versions |
| Redhat | Integration Service Registry | All versions |
| Redhat | Jboss Middleware | 1 |
| Redhat | Jboss Middleware Text-Only Advisories | 1.0 |
| Redhat | Openshift Serverless | All versions |
| Redhat | Openshift Serverless | 1.0 |
| Redhat | Process Automation Manager | 7.0 |
| Redhat | Openshift Container Platform | 4.10 |
| Redhat | Openshift Container Platform | 4.11 |
| Redhat | Openshift Container Platform | 4.12 |
References
- https://access.redhat.com/errata/RHSA-2023:5170Vendor Advisory
- https://access.redhat.com/errata/RHSA-2023:5310Vendor Advisory
- https://access.redhat.com/errata/RHSA-2023:5337Vendor Advisory
- https://access.redhat.com/errata/RHSA-2023:5446Vendor Advisory
- https://access.redhat.com/errata/RHSA-2023:5479Vendor Advisory
- https://access.redhat.com/errata/RHSA-2023:5480Vendor Advisory
- https://access.redhat.com/errata/RHSA-2023:6107Vendor Advisory
- https://access.redhat.com/errata/RHSA-2023:6112Vendor Advisory
- https://access.redhat.com/errata/RHSA-2023:7653Vendor Advisory
- https://access.redhat.com/security/cve/CVE-2023-4853Mitigation, Vendor Advisory
- https://access.redhat.com/security/vulnerabilities/RHSB-2023-002Exploit, Mitigation, Technical Description, Vendor Advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=2238034Issue Tracking, Vendor Advisory
- https://access.redhat.com/errata/RHSA-2023:5170Vendor Advisory
- https://access.redhat.com/errata/RHSA-2023:5310Vendor Advisory
- https://access.redhat.com/errata/RHSA-2023:5337Vendor Advisory
- https://access.redhat.com/errata/RHSA-2023:5446Vendor Advisory
- https://access.redhat.com/errata/RHSA-2023:5479Vendor Advisory
- https://access.redhat.com/errata/RHSA-2023:5480Vendor Advisory
- https://access.redhat.com/errata/RHSA-2023:6107Vendor Advisory
- https://access.redhat.com/errata/RHSA-2023:6112Vendor Advisory
- https://access.redhat.com/errata/RHSA-2023:7653Vendor Advisory
- https://access.redhat.com/security/cve/CVE-2023-4853Mitigation, Vendor Advisory
- https://access.redhat.com/security/vulnerabilities/RHSB-2023-002Exploit, Mitigation, Technical Description, Vendor Advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=2238034Issue Tracking, Vendor Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2023-4853?
How severe is CVE-2023-4853?
How do I fix CVE-2023-4853?
Are you affected by CVE-2023-4853?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST