First published: Fri Sep 08 2023(Updated: )
A flaw was found in Quarkus where HTTP security policies are not sanitizing certain character permutations correctly when accepting requests, resulting in incorrect evaluation of permissions. This issue could allow an attacker to bypass the security policy altogether, resulting in unauthorized endpoint access and possibly a denial of service.
Credit: secalert@redhat.com secalert@redhat.com secalert@redhat.com
Affected Software | Affected Version | How to fix |
---|---|---|
redhat/openshift-serverless-clients | <0:1.9.2-3.el8 | 0:1.9.2-3.el8 |
Quarkus Quarkus | <2.16.11 | |
Quarkus Quarkus | >=3.2.0<3.2.6 | |
Quarkus Quarkus | >=3.3.0<3.3.3 | |
Redhat Build Of Optaplanner | =8.0 | |
Redhat Build Of Quarkus | >=2.13.0<2.13.8 | |
Redhat Decision Manager | =7.0 | |
Redhat Integration Camel K | <1.10.2 | |
Redhat Integration Camel Quarkus | ||
Redhat Integration Service Registry | ||
Redhat Jboss Middleware | =1 | |
Redhat Openshift Serverless | ||
Redhat Openshift Serverless | =1.0 | |
Redhat Process Automation Manager | =7.0 | |
maven/io.quarkus:quarkus-keycloak-authorization | >=3.3.0<3.3.3 | 3.3.3 |
maven/io.quarkus:quarkus-keycloak-authorization | >=3.0.0<3.2.6.Final | 3.2.6.Final |
maven/io.quarkus:quarkus-keycloak-authorization | <2.16.11.Final | 2.16.11.Final |
maven/io.quarkus:quarkus-csrf-reactive | >=3.3.0<3.3.3 | 3.3.3 |
maven/io.quarkus:quarkus-csrf-reactive | >=3.0.0<3.2.6.Final | 3.2.6.Final |
maven/io.quarkus:quarkus-csrf-reactive | <2.16.11.Final | 2.16.11.Final |
maven/io.quarkus:quarkus-undertow | >=3.3.0<3.3.3 | 3.3.3 |
maven/io.quarkus:quarkus-undertow | >=3.0.0<3.2.6.Final | 3.2.6.Final |
maven/io.quarkus:quarkus-undertow | <2.16.11.Final | 2.16.11.Final |
maven/io.quarkus:quarkus-vertx-http | >=3.3.0<3.3.3 | 3.3.3 |
maven/io.quarkus:quarkus-vertx-http | >=3.0.0<3.2.6.Final | 3.2.6.Final |
maven/io.quarkus:quarkus-vertx-http | <2.16.11.Final | 2.16.11.Final |
redhat/quarkus | <2.16.11. | 2.16.11. |
redhat/quarkus | <3.2.6. | 3.2.6. |
redhat/quarkus | <3.3.3 | 3.3.3 |
<2.16.11 | ||
>=3.2.0<3.2.6 | ||
>=3.3.0<3.3.3 | ||
=8.0 | ||
>=2.13.0<2.13.8 | ||
=7.0 | ||
<1.10.2 | ||
=1 | ||
=1.0 | ||
=1.0 | ||
=7.0 | ||
All of | ||
Any of | ||
=4.10 | ||
=4.11 | ||
=4.12 | ||
=8.0 |
Use a ‘deny’ wildcard for base paths, then authenticate specifics within that: Examples: ``` deny: /* authenticated: /services/* ``` or ``` deny: /services/* roles-allowed: /services/rbac/* ``` NOTE: Products are only vulnerable if they use (or allow use of) path-based HTTP policy configuration. Products may also be affected–shipping the component in question–without being vulnerable (“affected at reduced impact”). See https://access.redhat.com/security/vulnerabilities/RHSB-2023-002 for more detailed mitigations.
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
(Appears in the following advisories)
CVE-2023-4853 is a vulnerability in Quarkus that allows an attacker to bypass security policies and gain unauthorized access to endpoints.
CVE-2023-4853 has a severity rating of 9.8 out of 10, indicating it is critical.
Quarkus versions between 2.16.11 and 3.3.3 are affected by CVE-2023-4853.
To fix CVE-2023-4853, update Quarkus to version 3.3.3 or apply the appropriate patches provided by Red Hat.
You can find more information about CVE-2023-4853 in the references section of the vulnerability report.