What is the vulnerability ID of this flaw?

The vulnerability ID of this flaw is CVE-2023-0044.

What is the severity level of CVE-2023-0044?

CVE-2023-0044 has a severity level of medium.

What is the potential risk of this vulnerability?

The potential risk of this vulnerability is cross-site attack which may lead to information disclosure.

How can the Quarkus CSRF Prevention feature help prevent this vulnerability?

The Quarkus CSRF Prevention feature can prevent the cross-site attack and mitigate the risk of information disclosure.

Vulnerability/
CVE-2023-0044

medium

6.1

CWE

79 352

4/1/2023

17/4/2024

CVE-2023-0044: XSS

Q: How does this vulnerability affect Quarkus?

This vulnerability affects Quarkus if the Quarkus Form Authentication session cookie Path attribute is set to '/'.

First published: Wed Jan 04 2023(Updated: )

A flaw was found in Quarkus. If the Quarkus Form Authentication session cookie Path attribute is set to `/`, then a cross-site attack may be initiated, which might lead to information disclosure.

Credit: secalert@redhat.com

Affected Software	Affected Version	How to fix
Quarkus Quarkus	<2.13.7
Redhat Build Of Quarkus
redhat/quarkus-vertx-http	<2.13.7	2.13.7

Remedy

This attack can be prevented with the Quarkus CSRF Prevention feature.

Never miss a vulnerability like this again

Reference Links

Parent vulnerabilities

(Appears in the following advisories)

Frequently Asked Questions

What is the vulnerability ID of this flaw?
The vulnerability ID of this flaw is CVE-2023-0044.
What is the severity level of CVE-2023-0044?
CVE-2023-0044 has a severity level of medium.
How does this vulnerability affect Quarkus?
This vulnerability affects Quarkus if the Quarkus Form Authentication session cookie Path attribute is set to '/'.
What is the potential risk of this vulnerability?
The potential risk of this vulnerability is cross-site attack which may lead to information disclosure.
How can the Quarkus CSRF Prevention feature help prevent this vulnerability?
The Quarkus CSRF Prevention feature can prevent the cross-site attack and mitigate the risk of information disclosure.

collector/redhat-cve
collector/nvd-index
agent/author
agent/type
agent/first-publish-date
agent/last-modified-date
agent/remedy
agent/weakness
agent/softwarecombine
agent/severity
agent/references
agent/tags
agent/description
agent/event
collector/redhat-bugzilla
source/Red Hat
alias/CVE-2023-0044
agent/software-canonical-lookup
vendor/quarkus
canonical/quarkus quarkus
vendor/redhat
canonical/redhat build of quarkus
package-manager/redhat

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co

By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.