{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2023-0044", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "dateUpdated": "2024-08-02T04:54:32.575Z", "dateReserved": "2023-01-04T00:00:00", "datePublished": "2023-02-23T00:00:00"}, "containers": {"cna": {"providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2023-02-23T00:00:00"}, "descriptions": [{"lang": "en", "value": "If the Quarkus Form Authentication session cookie Path attribute is set to `/` then a cross-site attack may be initiated which might lead to the Information Disclosure. This attack can be prevented with the Quarkus CSRF Prevention feature."}], "affected": [{"vendor": "n/a", "product": "quarkus-vertx-http", "versions": [{"version": "1.11.7", "status": "affected"}]}], "references": [{"url": "https://access.redhat.com/security/cve/CVE-2023-0044"}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2158081"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "cross-site attack"}]}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T04:54:32.575Z"}, "title": "CVE Program Container", "references": [{"url": "https://access.redhat.com/security/cve/CVE-2023-0044", "tags": ["x_transferred"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2158081", "tags": ["x_transferred"]}]}]}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:quarkus:quarkus:*:*:*:*:*:*:*:*", "matchCriteriaId": "9CDB1115-A9F5-46F0-AB03-BBEFD72FA293", "versionEndExcluding": "2.13.7", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:redhat:build_of_quarkus:-:*:*:*:*:*:*:*", "matchCriteriaId": "CE29B9D6-63DC-4779-ACE8-4E51E6A0AF37", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "If the Quarkus Form Authentication session cookie Path attribute is set to `/` then a cross-site attack may be initiated which might lead to the Information Disclosure. This attack can be prevented with the Quarkus CSRF Prevention feature."}], "id": "CVE-2023-0044", "lastModified": "2023-03-03T15:58:52.633", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-02-23T20:15:12.823", "references": [{"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/security/cve/CVE-2023-0044"}, {"source": "secalert@redhat.com", "tags": ["Issue Tracking", "Third Party Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2158081"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"acknowledgement": "This issue was discovered by Paulo Lopes (Red Hat).", "affected_release": [{"advisory": "RHSA-2023:0758", "cpe": "cpe:/a:redhat:quarkus:2.13", "product_name": "Red Hat build of Quarkus", "release_date": "2023-02-14T00:00:00Z"}, {"advisory": "RHSA-2023:1006", "cpe": "cpe:/a:redhat:quarkus:2.7", "package": "io.quarkus/quarkus-vertx-http", "product_name": "Red Hat build of Quarkus 2.7.7", "release_date": "2023-03-08T00:00:00Z"}], "bugzilla": {"description": "quarkus-vertx-http: a cross-site attack may be initiated which might lead to the Information Disclosure", "id": "2158081", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2158081"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.3", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "status": "verified"}, "details": ["If the Quarkus Form Authentication session cookie Path attribute is set to `/` then a cross-site attack may be initiated which might lead to the Information Disclosure. This attack can be prevented with the Quarkus CSRF Prevention feature.", "A flaw was found in Quarkus. If the Quarkus Form Authentication session cookie Path attribute is set to `/`, then a cross-site attack may be initiated, which might lead to information disclosure."], "mitigation": {"lang": "en:us", "value": "This attack can be prevented with the Quarkus CSRF Prevention feature."}, "name": "CVE-2023-0044", "package_state": [{"cpe": "cpe:/a:redhat:a_mq_clients:2", "fix_state": "Not affected", "package_name": "quarkus-vertx-http", "product_name": "A-MQ Clients 2"}, {"cpe": "cpe:/a:redhat:service_registry:2", "fix_state": "Not affected", "package_name": "quarkus-vertx-http", "product_name": "Red Hat build of Apicurio Registry"}, {"cpe": "cpe:/a:redhat:quarkus:3", "fix_state": "Not affected", "package_name": "io.quarkus/quarkus-vertx-http", "product_name": "Red Hat build of Quarkus"}, {"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Not affected", "package_name": "quarkus-vertx-http", "product_name": "Red Hat Fuse 7"}, {"cpe": "cpe:/a:redhat:integration:1", "fix_state": "Not affected", "package_name": "quarkus-vertx-http", "product_name": "Red Hat Integration Camel K"}, {"cpe": "cpe:/a:redhat:camel_quarkus:2", "fix_state": "Not affected", "package_name": "quarkus-vertx-http", "product_name": "Red Hat Integration Camel Quarkus"}, {"cpe": "cpe:/a:redhat:integration:1", "fix_state": "Not affected", "package_name": "quarkus-vertx-http", "product_name": "Red Hat Integration Change Data Capture"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7", "fix_state": "Not affected", "package_name": "quarkus-vertx-http", "product_name": "Red Hat JBoss Enterprise Application Platform 7"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Not affected", "package_name": "quarkus-vertx-http", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_bpms_platform:7", "fix_state": "Not affected", "package_name": "quarkus-vertx-http", "product_name": "Red Hat Process Automation 7"}], "public_date": "2023-01-04T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2023-0044\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-0044\nhttps://github.com/advisories/GHSA-c57v-hc7m-8px2"], "threat_severity": "Low", "upstream_fix": "quarkus-vertx-http 2.13.7"}