What is CVE-2023-4853?

CVE-2023-4853 is a vulnerability in Quarkus that allows an attacker to bypass security policies and gain unauthorized access to endpoints.

How severe is CVE-2023-4853?

CVE-2023-4853 has a severity rating of 9.8 out of 10, indicating it is critical.

Which versions of Quarkus are affected by CVE-2023-4853?

Quarkus versions between 2.16.11 and 3.3.3 are affected by CVE-2023-4853.

How can I fix CVE-2023-4853?

To fix CVE-2023-4853, update Quarkus to version 3.3.3 or apply the appropriate patches provided by Red Hat.

Where can I find more information about CVE-2023-4853?

You can find more information about CVE-2023-4853 in the references section of the vulnerability report.

Vulnerability/
CVE-2023-4853

high

8.1

CWE

148 863

8/9/2023

20/9/2023

23/11/2024

CVE-2023-4853: Quarkus: http security policy bypass

First published: Fri Sep 08 2023(Updated: )

A flaw was found in Quarkus where HTTP security policies are not sanitizing certain character permutations correctly when accepting requests, resulting in incorrect evaluation of permissions. This issue could allow an attacker to bypass the security policy altogether, resulting in unauthorized endpoint access and possibly a denial of service.

Credit: secalert@redhat.com secalert@redhat.com secalert@redhat.com

Affected Software	Affected Version	How to fix
redhat/openshift-serverless-clients	<0:1.9.2-3.el8	0:1.9.2-3.el8
maven/io.quarkus:quarkus-keycloak-authorization	>=3.3.0<3.3.3	3.3.3
maven/io.quarkus:quarkus-keycloak-authorization	>=3.0.0<3.2.6.Final	3.2.6.Final
maven/io.quarkus:quarkus-keycloak-authorization	<2.16.11.Final	2.16.11.Final
maven/io.quarkus:quarkus-csrf-reactive	>=3.3.0<3.3.3	3.3.3
maven/io.quarkus:quarkus-csrf-reactive	>=3.0.0<3.2.6.Final	3.2.6.Final
maven/io.quarkus:quarkus-csrf-reactive	<2.16.11.Final	2.16.11.Final
maven/io.quarkus:quarkus-undertow	>=3.3.0<3.3.3	3.3.3
maven/io.quarkus:quarkus-undertow	>=3.0.0<3.2.6.Final	3.2.6.Final
maven/io.quarkus:quarkus-undertow	<2.16.11.Final	2.16.11.Final
maven/io.quarkus:quarkus-vertx-http	>=3.3.0<3.3.3	3.3.3
maven/io.quarkus:quarkus-vertx-http	>=3.0.0<3.2.6.Final	3.2.6.Final
maven/io.quarkus:quarkus-vertx-http	<2.16.11.Final	2.16.11.Final
redhat/quarkus	<2.16.11.	2.16.11.
redhat/quarkus	<3.2.6.	3.2.6.
redhat/quarkus	<3.3.3	3.3.3
Red Hat Quarkus	<2.16.11
Red Hat Quarkus	>=3.2.0<3.2.6
Red Hat Quarkus	>=3.3.0<3.3.3
Red Hat Build of OptaPlanner	=8.0
Red Hat Quarkus	>=2.13.0<2.13.8
redhat decision manager	=7.0
Apache Camel	<1.10.2
Apache Camel
Red Hat Integration - Service Registry
Red Hat JBoss Middleware	=1
Red Hat OpenShift Serverless
Red Hat OpenShift Serverless	=1.0
Red Hat Process Automation Manager	=7.0
Red Hat JBoss Middleware	=1.0
All of
Any of
redhat openshift container platform	=4.10
redhat openshift container platform	=4.11
redhat openshift container platform	=4.12
Red Hat Enterprise Linux	=8.0

Remedy

Use a ‘deny’ wildcard for base paths, then authenticate specifics within that: Examples: ``` deny: /* authenticated: /services/* ``` or ``` deny: /services/* roles-allowed: /services/rbac/* ``` NOTE: Products are only vulnerable if they use (or allow use of) path-based HTTP policy configuration. Products may also be affected–shipping the component in question–without being vulnerable (“affected at reduced impact”). See https://access.redhat.com/security/vulnerabilities/RHSB-2023-002 for more detailed mitigations.

Never miss a vulnerability like this again

Reference Links

Parent vulnerabilities

(Appears in the following advisories)

Frequently Asked Questions

What is CVE-2023-4853?
CVE-2023-4853 is a vulnerability in Quarkus that allows an attacker to bypass security policies and gain unauthorized access to endpoints.
How severe is CVE-2023-4853?
CVE-2023-4853 has a severity rating of 9.8 out of 10, indicating it is critical.
Which versions of Quarkus are affected by CVE-2023-4853?
Quarkus versions between 2.16.11 and 3.3.3 are affected by CVE-2023-4853.
How can I fix CVE-2023-4853?
To fix CVE-2023-4853, update Quarkus to version 3.3.3 or apply the appropriate patches provided by Red Hat.
Where can I find more information about CVE-2023-4853?
You can find more information about CVE-2023-4853 in the references section of the vulnerability report.

collector/redhat-cve
collector/github-advisory-latest
alias/GHSA-4f4r-wgv2-jjvg
alias/CVE-2023-4853
collector/github-advisory
agent/type
agent/first-publish-date
collector/ibm-support
source/IBM
agent/weakness
agent/references
agent/author
agent/remedy
agent/title
agent/severity
agent/description
collector/redhat-bugzilla
source/Red Hat
agent/software-canonical-lookup
collector/mitre-cve
source/MITRE
agent/last-modified-date
agent/event
agent/trending
agent/source
agent/tags
agent/softwarecombine
collector/nvd-index
agent/software-canonical-lookup-request
collector/nvd-cve
collector/nvd-api
source/NVD
package-manager/redhat
package-manager/maven
vendor/quarkus
canonical/red hat quarkus
version/red hat quarkus/3.2.0
version/red hat quarkus/3.3.0
vendor/redhat
canonical/red hat build of optaplanner
version/red hat build of optaplanner/8.0
version/red hat quarkus/2.13.0
canonical/redhat decision manager
version/redhat decision manager/7.0
canonical/apache camel
canonical/red hat integration - service registry
canonical/red hat jboss middleware
version/red hat jboss middleware/1
canonical/red hat openshift serverless
version/red hat openshift serverless/1.0
canonical/red hat process automation manager
version/red hat process automation manager/7.0
version/red hat jboss middleware/1.0
canonical/redhat openshift container platform
version/redhat openshift container platform/4.10
version/redhat openshift container platform/4.11
version/redhat openshift container platform/4.12
canonical/red hat enterprise linux
version/red hat enterprise linux/8.0