1. Home
  2. Vulnerabilities
  3. CVE-2023-4853

CVE-2023-4853

CVSS v3.1 8.1 (High)
81% Progress
EPSS 0.24 % (65th)
0.24% Progress
Affected Products 13
Advisories 1
Info CVSS EPSS Affected Configurations References Security Advisories Packages & Software Tools, Exploits & PoC Graph Web & Social Timeline

A flaw was found in Quarkus where HTTP security policies are not sanitizing certain character permutations correctly when accepting requests, resulting in incorrect evaluation of permissions. This issue could allow an attacker to bypass the security policy altogether, resulting in unauthorized endpoint access and possibly a denial of service.

Weaknesses
CWE-148
Improper Neutralization of Input Leaders
CWE-863
Incorrect Authorization
CVE Status
PUBLISHED
CNA
Red Hat, Inc.
Published Date
2023-09-20 10:15:14
(12 months ago)
Updated Date
2023-12-21 01:02:06
(9 months ago)

Affected Products

Quarkus

Redhat

Configuration #1

    CPE23 From Up To
  Quarkus prior 2.16.11 version cpe:2.3:a:quarkus:quarkus < 2.16.11
  Quarkus from 3.2.0 version and prior 3.2.6 version cpe:2.3:a:quarkus:quarkus >= 3.2.0 < 3.2.6
  Quarkus from 3.3.0 version and prior 3.3.3 version cpe:2.3:a:quarkus:quarkus >= 3.3.0 < 3.3.3

Configuration #2

    CPE23 From Up To
  Redhat Build Of Optaplanner 8.0 cpe:2.3:a:redhat:build_of_optaplanner:8.0
  Redhat Build Of Quarkus from 2.13.0 version and prior 2.13.8 version cpe:2.3:a:redhat:build_of_quarkus::*:*:*:text-only >= 2.13.0 < 2.13.8
  Redhat Decision Manager 7.0 cpe:2.3:a:redhat:decision_manager:7.0
  Redhat Integration Camel K prior 1.10.2 version cpe:2.3:a:redhat:integration_camel_k < 1.10.2
  Redhat Integration Camel Quarkus cpe:2.3:a:redhat:integration_camel_quarkus:-
  Redhat Integration Service Registry cpe:2.3:a:redhat:integration_service_registry:-
  Redhat Jboss Middleware 1 cpe:2.3:a:redhat:jboss_middleware:1
  Redhat Jboss Middleware Text-only Advisories 1.0 for Middleware cpe:2.3:a:redhat:jboss_middleware_text-only_advisories:1.0:*:*:*:*:middleware
  Redhat Openshift Serverless cpe:2.3:a:redhat:openshift_serverless:-
  Redhat Openshift Serverless 1.0 cpe:2.3:a:redhat:openshift_serverless:1.0
  Redhat Process Automation Manager 7.0 cpe:2.3:a:redhat:process_automation_manager:7.0

Configuration #3

AND
    CPE23 From Up To
OR  
  Redhat Openshift Container Platform 4.10 cpe:2.3:a:redhat:openshift_container_platform:4.10
OR  
  Running on/with
  Redhat Openshift Container Platform 4.11 cpe:2.3:a:redhat:openshift_container_platform:4.11
OR  
  Running on/with
  Redhat Openshift Container Platform 4.12 cpe:2.3:a:redhat:openshift_container_platform:4.12
OR  
  Running on/with
  Redhat Enterprise Linux 8.0 cpe:2.3:o:redhat:enterprise_linux:8.0