What is CVE-2023-4853?

CVE-2023-4853 is a vulnerability in Quarkus that allows an attacker to bypass security policies and gain unauthorized access to endpoints.

How severe is CVE-2023-4853?

CVE-2023-4853 has a severity rating of 9.8 out of 10, indicating it is critical.

Which versions of Quarkus are affected by CVE-2023-4853?

Quarkus versions between 2.16.11 and 3.3.3 are affected by CVE-2023-4853.

How can I fix CVE-2023-4853?

To fix CVE-2023-4853, update Quarkus to version 3.3.3 or apply the appropriate patches provided by Red Hat.

Where can I find more information about CVE-2023-4853?

You can find more information about CVE-2023-4853 in the references section of the vulnerability report.

Vulnerability/
CVE-2023-4853

high

8.1

CWE

148 863

8/9/2023

20/9/2023

25/4/2024

CVE-2023-4853: Quarkus: http security policy bypass

First published: Fri Sep 08 2023(Updated: )

A flaw was found in Quarkus where HTTP security policies are not sanitizing certain character permutations correctly when accepting requests, resulting in incorrect evaluation of permissions. This issue could allow an attacker to bypass the security policy altogether, resulting in unauthorized endpoint access and possibly a denial of service.

Credit: secalert@redhat.com secalert@redhat.com secalert@redhat.com

Affected Software	Affected Version	How to fix
redhat/openshift-serverless-clients	<0:1.9.2-3.el8	0:1.9.2-3.el8
Quarkus Quarkus	<2.16.11
Quarkus Quarkus	>=3.2.0<3.2.6
Quarkus Quarkus	>=3.3.0<3.3.3
Redhat Build Of Optaplanner	=8.0
Redhat Build Of Quarkus	>=2.13.0<2.13.8
Redhat Decision Manager	=7.0
Redhat Integration Camel K	<1.10.2
Redhat Integration Camel Quarkus
Redhat Integration Service Registry
Redhat Jboss Middleware	=1
Redhat Openshift Serverless
Redhat Openshift Serverless	=1.0
Redhat Process Automation Manager	=7.0
maven/io.quarkus:quarkus-keycloak-authorization	>=3.3.0<3.3.3	3.3.3
maven/io.quarkus:quarkus-keycloak-authorization	>=3.0.0<3.2.6.Final	3.2.6.Final
maven/io.quarkus:quarkus-keycloak-authorization	<2.16.11.Final	2.16.11.Final
maven/io.quarkus:quarkus-csrf-reactive	>=3.3.0<3.3.3	3.3.3
maven/io.quarkus:quarkus-csrf-reactive	>=3.0.0<3.2.6.Final	3.2.6.Final
maven/io.quarkus:quarkus-csrf-reactive	<2.16.11.Final	2.16.11.Final
maven/io.quarkus:quarkus-undertow	>=3.3.0<3.3.3	3.3.3
maven/io.quarkus:quarkus-undertow	>=3.0.0<3.2.6.Final	3.2.6.Final
maven/io.quarkus:quarkus-undertow	<2.16.11.Final	2.16.11.Final
maven/io.quarkus:quarkus-vertx-http	>=3.3.0<3.3.3	3.3.3
maven/io.quarkus:quarkus-vertx-http	>=3.0.0<3.2.6.Final	3.2.6.Final
maven/io.quarkus:quarkus-vertx-http	<2.16.11.Final	2.16.11.Final
redhat/quarkus	<2.16.11.	2.16.11.
redhat/quarkus	<3.2.6.	3.2.6.
redhat/quarkus	<3.3.3	3.3.3
Redhat Jboss Middleware Text-only Advisories Middleware	=1.0
All of
Any of
Redhat Openshift Container Platform	=4.10
Redhat Openshift Container Platform	=4.11
Redhat Openshift Container Platform	=4.12
Redhat Enterprise Linux	=8.0

Remedy

Use a ‘deny’ wildcard for base paths, then authenticate specifics within that: Examples: ``` deny: /* authenticated: /services/* ``` or ``` deny: /services/* roles-allowed: /services/rbac/* ``` NOTE: Products are only vulnerable if they use (or allow use of) path-based HTTP policy configuration. Products may also be affected–shipping the component in question–without being vulnerable (“affected at reduced impact”). See https://access.redhat.com/security/vulnerabilities/RHSB-2023-002 for more detailed mitigations.

Never miss a vulnerability like this again

Reference Links

Parent vulnerabilities

(Appears in the following advisories)

Frequently Asked Questions

What is CVE-2023-4853?
CVE-2023-4853 is a vulnerability in Quarkus that allows an attacker to bypass security policies and gain unauthorized access to endpoints.
How severe is CVE-2023-4853?
CVE-2023-4853 has a severity rating of 9.8 out of 10, indicating it is critical.
Which versions of Quarkus are affected by CVE-2023-4853?
Quarkus versions between 2.16.11 and 3.3.3 are affected by CVE-2023-4853.
How can I fix CVE-2023-4853?
To fix CVE-2023-4853, update Quarkus to version 3.3.3 or apply the appropriate patches provided by Red Hat.
Where can I find more information about CVE-2023-4853?
You can find more information about CVE-2023-4853 in the references section of the vulnerability report.

collector/redhat-cve
collector/nvd-index
collector/github-advisory-latest
alias/GHSA-4f4r-wgv2-jjvg
alias/CVE-2023-4853
collector/nvd-cve
collector/github-advisory
agent/type
agent/first-publish-date
collector/ibm-support
source/IBM
agent/weakness
agent/softwarecombine
agent/references
agent/author
agent/remedy
agent/title
agent/severity
agent/description
agent/tags
agent/event
collector/redhat-bugzilla
source/Red Hat
agent/software-canonical-lookup
collector/mitre-cve
source/MITRE
agent/last-modified-date
collector/nvd-api
agent/software-canonical-lookup-request
package-manager/redhat
vendor/quarkus
canonical/quarkus quarkus
version/quarkus quarkus/3.2.0
version/quarkus quarkus/3.3.0
vendor/redhat
canonical/redhat build of optaplanner
version/redhat build of optaplanner/8.0
canonical/redhat build of quarkus
version/redhat build of quarkus/2.13.0
canonical/redhat decision manager
version/redhat decision manager/7.0
canonical/redhat integration camel k
canonical/redhat integration camel quarkus
canonical/redhat integration service registry
canonical/redhat jboss middleware
version/redhat jboss middleware/1
canonical/redhat openshift serverless
version/redhat openshift serverless/1.0
canonical/redhat process automation manager
version/redhat process automation manager/7.0
package-manager/maven
canonical/redhat jboss middleware text-only advisories middleware
version/redhat jboss middleware text-only advisories middleware/1.0
canonical/redhat openshift container platform
version/redhat openshift container platform/4.10
version/redhat openshift container platform/4.11
version/redhat openshift container platform/4.12
canonical/redhat enterprise linux
version/redhat enterprise linux/8.0