{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-2974", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "state": "PUBLISHED", "assignerShortName": "redhat", "dateReserved": "2023-05-30T10:06:53.993Z", "datePublished": "2023-07-04T13:24:29.648Z", "dateUpdated": "2024-08-02T06:41:03.976Z"}, "containers": {"cna": {"title": "Quarkus-core: tls protocol configured with quarkus.http.ssl.protocols is not enforced, client can enforce weaker supported tls protocol", "metrics": [{"other": {"content": {"value": "Moderate", "namespace": "https://access.redhat.com/security/updates/classification/"}, "type": "Red Hat severity rating"}}, {"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "format": "CVSS"}], "descriptions": [{"lang": "en", "value": "A vulnerability was found in quarkus-core. This vulnerability occurs because the TLS protocol configured with quarkus.http.ssl.protocols is not enforced, and the client can force the selection of the weaker supported TLS protocol."}], "affected": [{"vendor": "Red Hat", "product": "Red Hat build of Quarkus 2.13.8.Final", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "io.quarkus/quarkus-grpc", "defaultStatus": "affected", "versions": [{"version": "2.13.8.Final-redhat-00004", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:quarkus:2.13"]}, {"vendor": "Red Hat", "product": "Red Hat build of Quarkus 2.13.8.Final", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "io.quarkus/quarkus-vertx-http", "defaultStatus": "affected", "versions": [{"version": "2.13.8.Final-redhat-00004", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:quarkus:2.13"]}], "references": [{"url": "https://access.redhat.com/errata/RHSA-2023:3809", "name": "RHSA-2023:3809", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/security/cve/CVE-2023-2974", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2211026", "name": "RHBZ#2211026", "tags": ["issue-tracking", "x_refsource_REDHAT"]}], "datePublic": "2023-06-29T00:00:00+00:00", "problemTypes": [{"descriptions": [{"cweId": "CWE-757", "description": "Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade')", "lang": "en", "type": "CWE"}]}], "x_redhatCweChain": "CWE-757: Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade')", "timeline": [{"lang": "en", "time": "2023-05-30T00:00:00+00:00", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2023-06-29T00:00:00+00:00", "value": "Made public."}], "credits": [{"lang": "en", "value": "This issue was discovered by Alexander Schwartz (Red Hat)."}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2024-05-03T15:32:35.950Z"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T06:41:03.976Z"}, "title": "CVE Program Container", "references": [{"url": "https://access.redhat.com/errata/RHSA-2023:3809", "name": "RHSA-2023:3809", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://access.redhat.com/security/cve/CVE-2023-2974", "tags": ["vdb-entry", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2211026", "name": "RHBZ#2211026", "tags": ["issue-tracking", "x_refsource_REDHAT", "x_transferred"]}]}]}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:redhat:build_of_quarkus:*:*:*:*:*:*:*:*", "matchCriteriaId": "AA14AAC6-1EBE-4249-8EAA-38CBFE82A63B", "versionEndExcluding": "2.13.8", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "A vulnerability was found in quarkus-core. This vulnerability occurs because the TLS protocol configured with quarkus.http.ssl.protocols is not enforced, and the client can force the selection of the weaker supported TLS protocol."}], "id": "CVE-2023-2974", "lastModified": "2024-11-21T07:59:40.557", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 5.2, "source": "secalert@redhat.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-07-04T14:15:09.473", "references": [{"source": "secalert@redhat.com", "tags": ["Release Notes"], "url": "https://access.redhat.com/errata/RHSA-2023:3809"}, {"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "https://access.redhat.com/security/cve/CVE-2023-2974"}, {"source": "secalert@redhat.com", "tags": ["Issue Tracking", "Vendor Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2211026"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Release Notes"], "url": "https://access.redhat.com/errata/RHSA-2023:3809"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://access.redhat.com/security/cve/CVE-2023-2974"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking", "Vendor Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2211026"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-757"}], "source": "secalert@redhat.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"acknowledgement": "This issue was discovered by Alexander Schwartz (Red Hat).", "affected_release": [{"advisory": "RHSA-2023:3809", "cpe": "cpe:/a:redhat:quarkus:2.13::el8", "package": "io.quarkus/quarkus-grpc:2.13.8.Final-redhat-00004", "product_name": "Red Hat build of Quarkus 2.13.8.Final", "release_date": "2023-06-29T00:00:00Z"}, {"advisory": "RHSA-2023:3809", "cpe": "cpe:/a:redhat:quarkus:2.13::el8", "package": "io.quarkus/quarkus-vertx-http:2.13.8.Final-redhat-00004", "product_name": "Red Hat build of Quarkus 2.13.8.Final", "release_date": "2023-06-29T00:00:00Z"}], "bugzilla": {"description": "quarkus-core: TLS protocol configured with quarkus.http.ssl.protocols is not enforced, client can enforce weaker supported TLS protocol", "id": "2211026", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2211026"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N", "status": "verified"}, "cwe": "CWE-757", "details": ["A vulnerability was found in quarkus-core. This vulnerability occurs because the TLS protocol configured with quarkus.http.ssl.protocols is not enforced, and the client can force the selection of the weaker supported TLS protocol.", "A vulnerability was found in quarkus-core. This vulnerability occurs because the TLS protocol configured with quarkus.http.ssl.protocols is not enforced, and the client can force the selection of the weaker supported TLS protocol."], "name": "CVE-2023-2974", "public_date": "2023-06-29T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2023-2974\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-2974"], "threat_severity": "Moderate", "upstream_fix": "quarkus 2.13.8"}