CVE-2023-4853 - Vulnerability Details - OpenCVE

Description

A flaw was found in Quarkus where HTTP security policies are not sanitizing certain character permutations correctly when accepting requests, resulting in incorrect evaluation of permissions. This issue could allow an attacker to bypass the security policy altogether, resulting in unauthorized endpoint access and possibly a denial of service.

Published: 2023-09-20

Score: 8.1 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

No analysis available yet.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Red Hat

Openshift Serverless 1 on RHEL 8

affected

Version	Status	Constraints
`0:1.9.2-3.el8`	unaffected	< *

Red Hat Red Hat build of OptaPlanner 8 unaffected —

Red Hat

Red Hat build of Quarkus 2.13.8.SP2

affected

Version	Status	Constraints
`2.13.8.Final-redhat-00005`	unaffected	< *

Red Hat

Red Hat build of Quarkus 2.13.8.SP2

affected

Version	Status	Constraints
`2.13.8.Final-redhat-00005`	unaffected	< *

Red Hat

Red Hat build of Quarkus 2.13.8.SP2

affected

Version	Status	Constraints
`2.13.8.Final-redhat-00005`	unaffected	< *

Red Hat Red Hat Camel Extensions for Quarkus 2.13.3-1 unaffected —

Red Hat

Red Hat OpenShift Serverless 1.30

affected

Version	Status	Constraints
`1.9.2-3`	unaffected	< *

Red Hat

Red Hat OpenShift Serverless 1.30

affected

Version	Status	Constraints
`1.30.1-1`	unaffected	< *

Red Hat

Red Hat OpenShift Serverless 1.30

affected

Version	Status	Constraints
`1.30.1-1`	unaffected	< *

Red Hat

Red Hat OpenShift Serverless 1.30

affected

Version	Status	Constraints
`1.9.2-3`	unaffected	< *

Red Hat

Red Hat OpenShift Serverless 1.30

affected

Version	Status	Constraints
`1.30.1-1`	unaffected	< *

Red Hat

Red Hat OpenShift Serverless 1.30

affected

Version	Status	Constraints
`1.30.1-1`	unaffected	< *

Red Hat

Red Hat OpenShift Serverless 1.30

affected

Version	Status	Constraints
`1.30.1-1`	unaffected	< *

Red Hat

Red Hat OpenShift Serverless 1.30

affected

Version	Status	Constraints
`1.30.0-5`	unaffected	< *

Red Hat

Red Hat OpenShift Serverless 1.30

affected

Version	Status	Constraints
`1.30.0-6`	unaffected	< *

Red Hat

Red Hat OpenShift Serverless 1.30

affected

Version	Status	Constraints
`1.30.0-6`	unaffected	< *

Red Hat

RHEL-8 based Middleware Containers

affected

Version	Status	Constraints
`7.13.4-3`	unaffected	< *

Red Hat

RHEL-8 based Middleware Containers

affected

Version	Status	Constraints
`7.13.4-2`	unaffected	< *

Red Hat

RHEL-8 based Middleware Containers

affected

Version	Status	Constraints
`7.13.4-2`	unaffected	< *

Red Hat

RHEL-8 based Middleware Containers

affected

Version	Status	Constraints
`7.13.4-3`	unaffected	< *

Red Hat

RHEL-8 based Middleware Containers

affected

Version	Status	Constraints
`7.13.4-3`	unaffected	< *

Red Hat RHINT Camel-K-1.10.2 unaffected —

Red Hat RHINT Service Registry 2.5.4 GA unaffected —

Red Hat RHPAM 7.13.4 async unaffected —

Red Hat Red Hat Process Automation 7 affected —

Configuration 1 [-]

OR	cpe:2.3:a:quarkus:quarkus::::::::
	cpe:2.3:a:quarkus:quarkus::::::::
	cpe:2.3:a:quarkus:quarkus::::::::

Configuration 2 [-]

OR	cpe:2.3:a:redhat:build_of_optaplanner:8.0:::::::*
	cpe:2.3:a:redhat:build_of_quarkus:::::text-only:::*
	cpe:2.3:a:redhat:decision_manager:7.0:::::::*
	cpe:2.3:a:redhat:integration_camel_k::::::::
	cpe:2.3:a:redhat:integration_camel_quarkus:-:::::::*
	cpe:2.3:a:redhat:integration_service_registry:-:::::::*
	cpe:2.3:a:redhat:jboss_middleware:1:::::::*
	cpe:2.3:a:redhat:jboss_middleware_text-only_advisories:1.0:::::middleware::
	cpe:2.3:a:redhat:openshift_serverless:-:::::::*
	cpe:2.3:a:redhat:openshift_serverless:1.0:::::::*
	cpe:2.3:a:redhat:process_automation_manager:7.0:::::::*

Configuration 3 [-]

AND

OR	cpe:2.3:a:redhat:openshift_container_platform:4.10:::::::*
	cpe:2.3:a:redhat:openshift_container_platform:4.11:::::::*
	cpe:2.3:a:redhat:openshift_container_platform:4.12:::::::*

cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*

Package	CPE	Advisory	Released Date
Openshift Serverless 1 on RHEL 8
openshift-serverless-clients-0:1.9.2-3.el8	cpe:/a:redhat:serverless:1.0::el8	RHSA-2023:5479	2023-10-05T00:00:00Z
Red Hat build of OptaPlanner 8
quarkus-vertx-http	cpe:/a:redhat:optaplanner:::el6	RHSA-2023:5446	2023-10-04T00:00:00Z
Red Hat build of Quarkus 2.13.8.SP2
io.quarkus/quarkus-keycloak-authorization:2.13.8.Final-redhat-00005	cpe:/a:redhat:quarkus:2.13::el8	RHSA-2023:5170	2023-09-14T00:00:00Z
io.quarkus/quarkus-undertow:2.13.8.Final-redhat-00005	cpe:/a:redhat:quarkus:2.13::el8	RHSA-2023:5170	2023-09-14T00:00:00Z
io.quarkus/quarkus-vertx-http:2.13.8.Final-redhat-00005	cpe:/a:redhat:quarkus:2.13::el8	RHSA-2023:5170	2023-09-14T00:00:00Z
Red Hat Camel Extensions for Quarkus 2.13.3-1
quarkus-vertx-http	cpe:/a:redhat:camel_quarkus:2.13	RHSA-2023:5310	2023-09-20T00:00:00Z
Red Hat OpenShift Serverless 1.30
openshift-serverless-1/client-kn-rhel8:1.9.2-3	cpe:/a:redhat:openshift_serverless:1.30::el8	RHSA-2023:5480	2023-10-05T00:00:00Z
openshift-serverless-1/ingress-rhel8-operator:1.30.1-1	cpe:/a:redhat:openshift_serverless:1.30::el8	RHSA-2023:5480	2023-10-05T00:00:00Z
openshift-serverless-1/knative-rhel8-operator:1.30.1-1	cpe:/a:redhat:openshift_serverless:1.30::el8	RHSA-2023:5480	2023-10-05T00:00:00Z
openshift-serverless-1/kn-cli-artifacts-rhel8:1.9.2-3	cpe:/a:redhat:openshift_serverless:1.30::el8	RHSA-2023:5480	2023-10-05T00:00:00Z
openshift-serverless-1/serverless-operator-bundle:1.30.1-1	cpe:/a:redhat:openshift_serverless:1.30::el8	RHSA-2023:5480	2023-10-05T00:00:00Z
openshift-serverless-1/serverless-rhel8-operator:1.30.1-1	cpe:/a:redhat:openshift_serverless:1.30::el8	RHSA-2023:5480	2023-10-05T00:00:00Z
openshift-serverless-1/svls-must-gather-rhel8:1.30.1-1	cpe:/a:redhat:openshift_serverless:1.30::el8	RHSA-2023:5480	2023-10-05T00:00:00Z
openshift-serverless-1-tech-preview/logic-data-index-ephemeral-rhel8:1.30.0-5	cpe:/a:redhat:openshift_serverless:1.30::el8	RHSA-2023:5480	2023-10-05T00:00:00Z
openshift-serverless-1-tech-preview/logic-swf-builder-rhel8:1.30.0-6	cpe:/a:redhat:openshift_serverless:1.30::el8	RHSA-2023:5480	2023-10-05T00:00:00Z
openshift-serverless-1-tech-preview/logic-swf-devmode-rhel8:1.30.0-6	cpe:/a:redhat:openshift_serverless:1.30::el8	RHSA-2023:5480	2023-10-05T00:00:00Z
RHEL-8 based Middleware Containers
rhpam-7/rhpam-kogito-builder-rhel8:7.13.4-3	cpe:/a:redhat:rhosemc:1.0::el8	RHSA-2023:6107	2023-10-25T00:00:00Z
rhpam-7/rhpam-kogito-rhel8-operator:7.13.4-2	cpe:/a:redhat:rhosemc:1.0::el8	RHSA-2023:6107	2023-10-25T00:00:00Z
rhpam-7/rhpam-kogito-rhel8-operator-bundle:7.13.4-2	cpe:/a:redhat:rhosemc:1.0::el8	RHSA-2023:6107	2023-10-25T00:00:00Z
rhpam-7/rhpam-kogito-runtime-jvm-rhel8:7.13.4-3	cpe:/a:redhat:rhosemc:1.0::el8	RHSA-2023:6107	2023-10-25T00:00:00Z
rhpam-7-tech-preview/rhpam-kogito-runtime-native-rhel8:7.13.4-3	cpe:/a:redhat:rhosemc:1.0::el8	RHSA-2023:6107	2023-10-25T00:00:00Z
RHINT Camel-K-1.10.2
quarkus-vertx-http	cpe:/a:redhat:camel_k:1	RHSA-2023:5337	2023-09-21T00:00:00Z
RHINT Service Registry 2.5.4 GA
quarkus-vertx-http	cpe:/a:redhat:service_registry:2.5	RHSA-2023:7653	2023-12-05T00:00:00Z
RHPAM 7.13.4 async
	cpe:/a:redhat:jboss_enterprise_bpms_platform:7.13	RHSA-2023:6112	2023-10-25T00:00:00Z

No data available yet.

Remediation

Vendor Workaround

Use a ‘deny’ wildcard for base paths, then authenticate specifics within that: Examples: ``` deny: /* authenticated: /services/* ``` or ``` deny: /services/* roles-allowed: /services/rbac/* ``` NOTE: Products are only vulnerable if they use (or allow use of) path-based HTTP policy configuration. Products may also be affected–shipping the component in question–without being vulnerable (“affected at reduced impact”). See https://access.redhat.com/security/vulnerabilities/RHSB-2023-002 for more detailed mitigations.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
EUVD	EUVD-2023-2416	A flaw was found in Quarkus where HTTP security policies are not sanitizing certain character permutations correctly when accepting requests, resulting in incorrect evaluation of permissions. This issue could allow an attacker to bypass the security policy altogether, resulting in unauthorized endpoint access and possibly a denial of service.
Github GHSA	GHSA-4f4r-wgv2-jjvg	Quarkus HTTP vulnerable to incorrect evaluation of permissions

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00455.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://access.redhat.com/errata/RHSA-2023:5170
https://access.redhat.com/errata/RHSA-2023:5310
https://access.redhat.com/errata/RHSA-2023:5337
https://access.redhat.com/errata/RHSA-2023:5446
https://access.redhat.com/errata/RHSA-2023:5479
https://access.redhat.com/errata/RHSA-2023:5480
https://access.redhat.com/errata/RHSA-2023:6107
https://access.redhat.com/errata/RHSA-2023:6112
https://access.redhat.com/errata/RHSA-2023:7653
https://access.redhat.com/security/cve/CVE-2023-4853
https://access.redhat.com/security/vulnerabilities/RHSB-2023-002
https://bugzilla.redhat.com/show_bug.cgi?id=2238034
https://nvd.nist.gov/vuln/detail/CVE-2023-4853
https://www.cve.org/CVERecord?id=CVE-2023-4853

History

No history.

Subscriptions

Quarkus Quarkus

Redhat Build Of Optaplanner Build Of Quarkus Camel K Camel Quarkus Decision Manager Enterprise Linux Integration Camel K Integration Camel Quarkus Integration Service Registry Jboss Enterprise Bpms Platform Jboss Middleware Jboss Middleware Text-only Advisories Openshift Container Platform Openshift Serverless Optaplanner Process Automation Manager Quarkus Rhosemc Serverless Service Registry

MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2023-09-20T09:47:32.150Z

Updated: 2025-11-07T10:17:29.266Z

Reserved: 2023-09-08T16:10:38.379Z

Link: CVE-2023-4853

Vulnrichment

No data.

NVD

Status : Modified

Published: 2023-09-20T10:15:14.947

Modified: 2024-11-21T08:36:06.910

Link: CVE-2023-4853

Redhat

Severity : Important

Publid Date: 2023-09-08T00:00:00Z

Links: CVE-2023-4853 - Bugzilla

OpenCVE Enrichment

No data.

Weaknesses

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2023-4853", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "state": "PUBLISHED", "assignerShortName": "redhat", "dateReserved": "2023-09-08T16:10:38.379Z", "datePublished": "2023-09-20T09:47:32.150Z", "dateUpdated": "2025-11-07T10:17:29.266Z"}, "containers": {"cna": {"title": "Quarkus: http security policy bypass", "metrics": [{"other": {"content": {"value": "Important", "namespace": "https://access.redhat.com/security/updates/classification/"}, "type": "Red Hat severity rating"}}, {"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS"}], "descriptions": [{"lang": "en", "value": "A flaw was found in Quarkus where HTTP security policies are not sanitizing certain character permutations correctly when accepting requests, resulting in incorrect evaluation of permissions. This issue could allow an attacker to bypass the security policy altogether, resulting in unauthorized endpoint access and possibly a denial of service."}], "affected": [{"vendor": "Red Hat", "product": "Openshift Serverless 1 on RHEL 8", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "openshift-serverless-clients", "defaultStatus": "affected", "versions": [{"version": "0:1.9.2-3.el8", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:serverless:1.0::el8"]}, {"vendor": "Red Hat", "product": "Red Hat build of OptaPlanner 8", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "unaffected", "packageName": "quarkus-vertx-http", "cpes": ["cpe:/a:redhat:optaplanner:::el6"]}, {"vendor": "Red Hat", "product": "Red Hat build of Quarkus 2.13.8.SP2", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "io.quarkus/quarkus-keycloak-authorization", "defaultStatus": "affected", "versions": [{"version": "2.13.8.Final-redhat-00005", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:quarkus:2.13"]}, {"vendor": "Red Hat", "product": "Red Hat build of Quarkus 2.13.8.SP2", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "io.quarkus/quarkus-undertow", "defaultStatus": "affected", "versions": [{"version": "2.13.8.Final-redhat-00005", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:quarkus:2.13"]}, {"vendor": "Red Hat", "product": "Red Hat build of Quarkus 2.13.8.SP2", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "io.quarkus/quarkus-vertx-http", "defaultStatus": "affected", "versions": [{"version": "2.13.8.Final-redhat-00005", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:quarkus:2.13"]}, {"vendor": "Red Hat", "product": "Red Hat Camel Extensions for Quarkus 2.13.3-1", "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html", "defaultStatus": "unaffected", "packageName": "quarkus-vertx-http", "cpes": ["cpe:/a:redhat:camel_quarkus:2.13"]}, {"vendor": "Red Hat", "product": "Red Hat OpenShift Serverless 1.30", "collectionURL": "https://catalog.redhat.com/software/containers/", "packageName": "openshift-serverless-1/client-kn-rhel8", "defaultStatus": "affected", "versions": [{"version": "1.9.2-3", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:openshift_serverless:1.30::el8"]}, {"vendor": "Red Hat", "product": "Red Hat OpenShift Serverless 1.30", "collectionURL": "https://catalog.redhat.com/software/containers/", "packageName": "openshift-serverless-1/ingress-rhel8-operator", "defaultStatus": "affected", "versions": [{"version": "1.30.1-1", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:openshift_serverless:1.30::el8"]}, {"vendor": "Red Hat", "product": "Red Hat OpenShift Serverless 1.30", "collectionURL": "https://catalog.redhat.com/software/containers/", "packageName": "openshift-serverless-1/knative-rhel8-operator", "defaultStatus": "affected", "versions": [{"version": "1.30.1-1", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:openshift_serverless:1.30::el8"]}, {"vendor": "Red Hat", "product": "Red Hat OpenShift Serverless 1.30", "collectionURL": "https://catalog.redhat.com/software/containers/", "packageName": "openshift-serverless-1/kn-cli-artifacts-rhel8", "defaultStatus": "affected", "versions": [{"version": "1.9.2-3", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:openshift_serverless:1.30::el8"]}, {"vendor": "Red Hat", "product": "Red Hat OpenShift Serverless 1.30", "collectionURL": "https://catalog.redhat.com/software/containers/", "packageName": "openshift-serverless-1/serverless-operator-bundle", "defaultStatus": "affected", "versions": [{"version": "1.30.1-1", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:openshift_serverless:1.30::el8"]}, {"vendor": "Red Hat", "product": "Red Hat OpenShift Serverless 1.30", "collectionURL": "https://catalog.redhat.com/software/containers/", "packageName": "openshift-serverless-1/serverless-rhel8-operator", "defaultStatus": "affected", "versions": [{"version": "1.30.1-1", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:openshift_serverless:1.30::el8"]}, {"vendor": "Red Hat", "product": "Red Hat OpenShift Serverless 1.30", "collectionURL": "https://catalog.redhat.com/software/containers/", "packageName": "openshift-serverless-1/svls-must-gather-rhel8", "defaultStatus": "affected", "versions": [{"version": "1.30.1-1", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:openshift_serverless:1.30::el8"]}, {"vendor": "Red Hat", "product": "Red Hat OpenShift Serverless 1.30", "collectionURL": "https://catalog.redhat.com/software/containers/", "packageName": "openshift-serverless-1-tech-preview/logic-data-index-ephemeral-rhel8", "defaultStatus": "affected", "versions": [{"version": "1.30.0-5", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:openshift_serverless:1.30::el8"]}, {"vendor": "Red Hat", "product": "Red Hat OpenShift Serverless 1.30", "collectionURL": "https://catalog.redhat.com/software/containers/", "packageName": "openshift-serverless-1-tech-preview/logic-swf-builder-rhel8", "defaultStatus": "affected", "versions": [{"version": "1.30.0-6", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:openshift_serverless:1.30::el8"]}, {"vendor": "Red Hat", "product": "Red Hat OpenShift Serverless 1.30", "collectionURL": "https://catalog.redhat.com/software/containers/", "packageName": "openshift-serverless-1-tech-preview/logic-swf-devmode-rhel8", "defaultStatus": "affected", "versions": [{"version": "1.30.0-6", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:openshift_serverless:1.30::el8"]}, {"vendor": "Red Hat", "product": "RHEL-8 based Middleware Containers", "collectionURL": "https://catalog.redhat.com/software/containers/", "packageName": "rhpam-7/rhpam-kogito-builder-rhel8", "defaultStatus": "affected", "versions": [{"version": "7.13.4-3", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:rhosemc:1.0::el8"]}, {"vendor": "Red Hat", "product": "RHEL-8 based Middleware Containers", "collectionURL": "https://catalog.redhat.com/software/containers/", "packageName": "rhpam-7/rhpam-kogito-rhel8-operator", "defaultStatus": "affected", "versions": [{"version": "7.13.4-2", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:rhosemc:1.0::el8"]}, {"vendor": "Red Hat", "product": "RHEL-8 based Middleware Containers", "collectionURL": "https://catalog.redhat.com/software/containers/", "packageName": "rhpam-7/rhpam-kogito-rhel8-operator-bundle", "defaultStatus": "affected", "versions": [{"version": "7.13.4-2", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:rhosemc:1.0::el8"]}, {"vendor": "Red Hat", "product": "RHEL-8 based Middleware Containers", "collectionURL": "https://catalog.redhat.com/software/containers/", "packageName": "rhpam-7/rhpam-kogito-runtime-jvm-rhel8", "defaultStatus": "affected", "versions": [{"version": "7.13.4-3", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:rhosemc:1.0::el8"]}, {"vendor": "Red Hat", "product": "RHEL-8 based Middleware Containers", "collectionURL": "https://catalog.redhat.com/software/containers/", "packageName": "rhpam-7-tech-preview/rhpam-kogito-runtime-native-rhel8", "defaultStatus": "affected", "versions": [{"version": "7.13.4-3", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:rhosemc:1.0::el8"]}, {"vendor": "Red Hat", "product": "RHINT Camel-K-1.10.2", "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html", "defaultStatus": "unaffected", "packageName": "quarkus-vertx-http", "cpes": ["cpe:/a:redhat:camel_k:1"]}, {"vendor": "Red Hat", "product": "RHINT Service Registry 2.5.4 GA", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "unaffected", "packageName": "quarkus-vertx-http", "cpes": ["cpe:/a:redhat:service_registry:2.5"]}, {"vendor": "Red Hat", "product": "RHPAM 7.13.4 async", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "unaffected", "cpes": ["cpe:/a:redhat:jboss_enterprise_bpms_platform:7.13"]}, {"vendor": "Red Hat", "product": "Red Hat Process Automation 7", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "quarkus-vertx-http", "defaultStatus": "affected", "cpes": ["cpe:/a:redhat:jboss_enterprise_bpms_platform:7"]}], "references": [{"url": "https://access.redhat.com/errata/RHSA-2023:5170", "name": "RHSA-2023:5170", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2023:5310", "name": "RHSA-2023:5310", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2023:5337", "name": "RHSA-2023:5337", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2023:5446", "name": "RHSA-2023:5446", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2023:5479", "name": "RHSA-2023:5479", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2023:5480", "name": "RHSA-2023:5480", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2023:6107", "name": "RHSA-2023:6107", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2023:6112", "name": "RHSA-2023:6112", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2023:7653", "name": "RHSA-2023:7653", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/security/cve/CVE-2023-4853", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/security/vulnerabilities/RHSB-2023-002", "name": "RHSB-2023-002", "tags": ["technical-description", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2238034", "name": "RHBZ#2238034", "tags": ["issue-tracking", "x_refsource_REDHAT"]}], "datePublic": "2023-09-08T00:00:00.000Z", "problemTypes": [{"descriptions": [{"cweId": "CWE-148", "description": "Improper Neutralization of Input Leaders", "lang": "en", "type": "CWE"}]}], "x_redhatCweChain": "CWE-148: Improper Neutralization of Input Leaders", "workarounds": [{"lang": "en", "value": "Use a \u2018deny\u2019 wildcard for base paths, then authenticate specifics within that:\n\nExamples:\n```\ndeny: /*\nauthenticated: /services/*\n```\nor\n```\ndeny: /services/*\nroles-allowed: /services/rbac/*\n```\n\nNOTE: Products are only vulnerable if they use (or allow use of) path-based HTTP policy configuration. Products may also be affected\u2013shipping the component in question\u2013without being vulnerable (\u201caffected at reduced impact\u201d).\n\nSee https://access.redhat.com/security/vulnerabilities/RHSB-2023-002 for more detailed mitigations."}], "timeline": [{"lang": "en", "time": "2023-09-08T00:00:00.000Z", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2023-09-08T00:00:00.000Z", "value": "Made public."}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2025-11-07T10:17:29.266Z"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T07:38:00.803Z"}, "title": "CVE Program Container", "references": [{"url": "https://access.redhat.com/errata/RHSA-2023:5170", "name": "RHSA-2023:5170", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://access.redhat.com/errata/RHSA-2023:5310", "name": "RHSA-2023:5310", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://access.redhat.com/errata/RHSA-2023:5337", "name": "RHSA-2023:5337", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://access.redhat.com/errata/RHSA-2023:5446", "name": "RHSA-2023:5446", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://access.redhat.com/errata/RHSA-2023:5479", "name": "RHSA-2023:5479", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://access.redhat.com/errata/RHSA-2023:5480", "name": "RHSA-2023:5480", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://access.redhat.com/errata/RHSA-2023:6107", "name": "RHSA-2023:6107", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://access.redhat.com/errata/RHSA-2023:6112", "name": "RHSA-2023:6112", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://access.redhat.com/errata/RHSA-2023:7653", "name": "RHSA-2023:7653", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://access.redhat.com/security/cve/CVE-2023-4853", "tags": ["vdb-entry", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://access.redhat.com/security/vulnerabilities/RHSB-2023-002", "name": "RHSB-2023-002", "tags": ["technical-description", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2238034", "name": "RHBZ#2238034", "tags": ["issue-tracking", "x_refsource_REDHAT", "x_transferred"]}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:quarkus:quarkus:*:*:*:*:*:*:*:*", "matchCriteriaId": "F1985AD9-735A-4BBB-8E7B-B3271DC601C0", "versionEndExcluding": "2.16.11", "vulnerable": true}, {"criteria": "cpe:2.3:a:quarkus:quarkus:*:*:*:*:*:*:*:*", "matchCriteriaId": "B7A7D975-A081-4FA5-A97A-B430102325ED", "versionEndExcluding": "3.2.6", "versionStartIncluding": "3.2.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:quarkus:quarkus:*:*:*:*:*:*:*:*", "matchCriteriaId": "F51936A7-39F2-42F4-87C5-D99445652F6B", "versionEndExcluding": "3.3.3", "versionStartIncluding": "3.3.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:redhat:build_of_optaplanner:8.0:*:*:*:*:*:*:*", "matchCriteriaId": "1D54F5AE-61EC-4434-9D5F-9394A3979894", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:build_of_quarkus:*:*:*:*:text-only:*:*:*", "matchCriteriaId": "ACCC2DC7-4127-4429-BC5B-C555458D790A", "versionEndExcluding": "2.13.8", "versionStartIncluding": "2.13.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:decision_manager:7.0:*:*:*:*:*:*:*", "matchCriteriaId": "68146098-58F8-417E-B165-5182527117C4", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:integration_camel_k:*:*:*:*:*:*:*:*", "matchCriteriaId": "176A2C2D-9397-4238-B803-54F60ED795C8", "versionEndExcluding": "1.10.2", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:integration_camel_quarkus:-:*:*:*:*:*:*:*", "matchCriteriaId": "F039C746-2001-4EE5-835F-49607A94F12B", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:integration_service_registry:-:*:*:*:*:*:*:*", "matchCriteriaId": "EF03BDE8-602D-4DEE-BA5B-5B20FDF47741", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:jboss_middleware:1:*:*:*:*:*:*:*", "matchCriteriaId": "1F4A0F87-524E-4935-9B07-93793D8143FD", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:jboss_middleware_text-only_advisories:1.0:*:*:*:*:middleware:*:*", "matchCriteriaId": "A0FED4EE-0AE2-4BD8-8DAC-143382E4DB7C", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:openshift_serverless:-:*:*:*:*:*:*:*", "matchCriteriaId": "77675CB7-67D7-44E9-B7FF-D224B3341AA5", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:openshift_serverless:1.0:*:*:*:*:*:*:*", "matchCriteriaId": "C18B8793-52C2-46E2-8752-92552AD4A643", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:process_automation_manager:7.0:*:*:*:*:*:*:*", "matchCriteriaId": "4857DA21-9127-4F6A-9DA1-96678D9F9472", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:redhat:openshift_container_platform:4.10:*:*:*:*:*:*:*", "matchCriteriaId": "0595C9F8-9C7A-4FC1-B7EE-52978A1B1E93", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:openshift_container_platform:4.11:*:*:*:*:*:*:*", "matchCriteriaId": "EA983F8C-3A06-450A-AEFF-9429DE9A3454", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:openshift_container_platform:4.12:*:*:*:*:*:*:*", "matchCriteriaId": "40449571-22F8-44FA-B57B-B43F71AB25E2", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*", "matchCriteriaId": "F4CFF558-3C47-480D-A2F0-BABF26042943", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "A flaw was found in Quarkus where HTTP security policies are not sanitizing certain character permutations correctly when accepting requests, resulting in incorrect evaluation of permissions. This issue could allow an attacker to bypass the security policy altogether, resulting in unauthorized endpoint access and possibly a denial of service."}, {"lang": "es", "value": "Se encontr\u00f3 una falla en Quarkus donde las pol\u00edticas de seguridad HTTP no sanitiza correctamente ciertas permutaciones de caracteres al aceptar solicitudes, lo que resulta en una evaluaci\u00f3n incorrecta de los permisos. Este problema podr\u00eda permitir que un atacante eluda la pol\u00edtica de seguridad por completo, lo que resultar\u00eda en un acceso no autorizado al endpoint y posiblemente una Denegaci\u00f3n de Servicio."}], "id": "CVE-2023-4853", "lastModified": "2024-11-21T08:36:06.910", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 5.9, "source": "secalert@redhat.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-09-20T10:15:14.947", "references": [{"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "https://access.redhat.com/errata/RHSA-2023:5170"}, {"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "https://access.redhat.com/errata/RHSA-2023:5310"}, {"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "https://access.redhat.com/errata/RHSA-2023:5337"}, {"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "https://access.redhat.com/errata/RHSA-2023:5446"}, {"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "https://access.redhat.com/errata/RHSA-2023:5479"}, {"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "https://access.redhat.com/errata/RHSA-2023:5480"}, {"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "https://access.redhat.com/errata/RHSA-2023:6107"}, {"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "https://access.redhat.com/errata/RHSA-2023:6112"}, {"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "https://access.redhat.com/errata/RHSA-2023:7653"}, {"source": "secalert@redhat.com", "tags": ["Mitigation", "Vendor Advisory"], "url": "https://access.redhat.com/security/cve/CVE-2023-4853"}, {"source": "secalert@redhat.com", "tags": ["Exploit", "Mitigation", "Technical Description", "Vendor Advisory"], "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2023-002"}, {"source": "secalert@redhat.com", "tags": ["Issue Tracking", "Vendor Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2238034"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://access.redhat.com/errata/RHSA-2023:5170"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://access.redhat.com/errata/RHSA-2023:5310"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://access.redhat.com/errata/RHSA-2023:5337"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://access.redhat.com/errata/RHSA-2023:5446"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://access.redhat.com/errata/RHSA-2023:5479"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://access.redhat.com/errata/RHSA-2023:5480"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://access.redhat.com/errata/RHSA-2023:6107"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://access.redhat.com/errata/RHSA-2023:6112"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://access.redhat.com/errata/RHSA-2023:7653"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mitigation", "Vendor Advisory"], "url": "https://access.redhat.com/security/cve/CVE-2023-4853"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Mitigation", "Technical Description", "Vendor Advisory"], "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2023-002"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking", "Vendor Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2238034"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-148"}], "source": "secalert@redhat.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-863"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2023:5479", "cpe": "cpe:/a:redhat:serverless:1.0::el8", "package": "openshift-serverless-clients-0:1.9.2-3.el8", "product_name": "Openshift Serverless 1 on RHEL 8", "release_date": "2023-10-05T00:00:00Z"}, {"advisory": "RHSA-2023:5446", "cpe": "cpe:/a:redhat:optaplanner:::el6", "package": "quarkus-vertx-http", "product_name": "Red Hat build of OptaPlanner 8", "release_date": "2023-10-04T00:00:00Z"}, {"advisory": "RHSA-2023:5170", "cpe": "cpe:/a:redhat:quarkus:2.13::el8", "package": "io.quarkus/quarkus-keycloak-authorization:2.13.8.Final-redhat-00005", "product_name": "Red Hat build of Quarkus 2.13.8.SP2", "release_date": "2023-09-14T00:00:00Z"}, {"advisory": "RHSA-2023:5170", "cpe": "cpe:/a:redhat:quarkus:2.13::el8", "package": "io.quarkus/quarkus-undertow:2.13.8.Final-redhat-00005", "product_name": "Red Hat build of Quarkus 2.13.8.SP2", "release_date": "2023-09-14T00:00:00Z"}, {"advisory": "RHSA-2023:5170", "cpe": "cpe:/a:redhat:quarkus:2.13::el8", "package": "io.quarkus/quarkus-vertx-http:2.13.8.Final-redhat-00005", "product_name": "Red Hat build of Quarkus 2.13.8.SP2", "release_date": "2023-09-14T00:00:00Z"}, {"advisory": "RHSA-2023:5310", "cpe": "cpe:/a:redhat:camel_quarkus:2.13", "impact": "low", "package": "quarkus-vertx-http", "product_name": "Red Hat Camel Extensions for Quarkus 2.13.3-1", "release_date": "2023-09-20T00:00:00Z"}, {"advisory": "RHSA-2023:5480", "cpe": "cpe:/a:redhat:openshift_serverless:1.30::el8", "package": "openshift-serverless-1/client-kn-rhel8:1.9.2-3", "product_name": "Red Hat OpenShift Serverless 1.30", "release_date": "2023-10-05T00:00:00Z"}, {"advisory": "RHSA-2023:5480", "cpe": "cpe:/a:redhat:openshift_serverless:1.30::el8", "package": "openshift-serverless-1/ingress-rhel8-operator:1.30.1-1", "product_name": "Red Hat OpenShift Serverless 1.30", "release_date": "2023-10-05T00:00:00Z"}, {"advisory": "RHSA-2023:5480", "cpe": "cpe:/a:redhat:openshift_serverless:1.30::el8", "package": "openshift-serverless-1/knative-rhel8-operator:1.30.1-1", "product_name": "Red Hat OpenShift Serverless 1.30", "release_date": "2023-10-05T00:00:00Z"}, {"advisory": "RHSA-2023:5480", "cpe": "cpe:/a:redhat:openshift_serverless:1.30::el8", "package": "openshift-serverless-1/kn-cli-artifacts-rhel8:1.9.2-3", "product_name": "Red Hat OpenShift Serverless 1.30", "release_date": "2023-10-05T00:00:00Z"}, {"advisory": "RHSA-2023:5480", "cpe": "cpe:/a:redhat:openshift_serverless:1.30::el8", "package": "openshift-serverless-1/serverless-operator-bundle:1.30.1-1", "product_name": "Red Hat OpenShift Serverless 1.30", "release_date": "2023-10-05T00:00:00Z"}, {"advisory": "RHSA-2023:5480", "cpe": "cpe:/a:redhat:openshift_serverless:1.30::el8", "package": "openshift-serverless-1/serverless-rhel8-operator:1.30.1-1", "product_name": "Red Hat OpenShift Serverless 1.30", "release_date": "2023-10-05T00:00:00Z"}, {"advisory": "RHSA-2023:5480", "cpe": "cpe:/a:redhat:openshift_serverless:1.30::el8", "package": "openshift-serverless-1/svls-must-gather-rhel8:1.30.1-1", "product_name": "Red Hat OpenShift Serverless 1.30", "release_date": "2023-10-05T00:00:00Z"}, {"advisory": "RHSA-2023:5480", "cpe": "cpe:/a:redhat:openshift_serverless:1.30::el8", "package": "openshift-serverless-1-tech-preview/logic-data-index-ephemeral-rhel8:1.30.0-5", "product_name": "Red Hat OpenShift Serverless 1.30", "release_date": "2023-10-05T00:00:00Z"}, {"advisory": "RHSA-2023:5480", "cpe": "cpe:/a:redhat:openshift_serverless:1.30::el8", "package": "openshift-serverless-1-tech-preview/logic-swf-builder-rhel8:1.30.0-6", "product_name": "Red Hat OpenShift Serverless 1.30", "release_date": "2023-10-05T00:00:00Z"}, {"advisory": "RHSA-2023:5480", "cpe": "cpe:/a:redhat:openshift_serverless:1.30::el8", "package": "openshift-serverless-1-tech-preview/logic-swf-devmode-rhel8:1.30.0-6", "product_name": "Red Hat OpenShift Serverless 1.30", "release_date": "2023-10-05T00:00:00Z"}, {"advisory": "RHSA-2023:6107", "cpe": "cpe:/a:redhat:rhosemc:1.0::el8", "package": "rhpam-7/rhpam-kogito-builder-rhel8:7.13.4-3", "product_name": "RHEL-8 based Middleware Containers", "release_date": "2023-10-25T00:00:00Z"}, {"advisory": "RHSA-2023:6107", "cpe": "cpe:/a:redhat:rhosemc:1.0::el8", "package": "rhpam-7/rhpam-kogito-rhel8-operator:7.13.4-2", "product_name": "RHEL-8 based Middleware Containers", "release_date": "2023-10-25T00:00:00Z"}, {"advisory": "RHSA-2023:6107", "cpe": "cpe:/a:redhat:rhosemc:1.0::el8", "package": "rhpam-7/rhpam-kogito-rhel8-operator-bundle:7.13.4-2", "product_name": "RHEL-8 based Middleware Containers", "release_date": "2023-10-25T00:00:00Z"}, {"advisory": "RHSA-2023:6107", "cpe": "cpe:/a:redhat:rhosemc:1.0::el8", "package": "rhpam-7/rhpam-kogito-runtime-jvm-rhel8:7.13.4-3", "product_name": "RHEL-8 based Middleware Containers", "release_date": "2023-10-25T00:00:00Z"}, {"advisory": "RHSA-2023:6107", "cpe": "cpe:/a:redhat:rhosemc:1.0::el8", "package": "rhpam-7-tech-preview/rhpam-kogito-runtime-native-rhel8:7.13.4-3", "product_name": "RHEL-8 based Middleware Containers", "release_date": "2023-10-25T00:00:00Z"}, {"advisory": "RHSA-2023:5337", "cpe": "cpe:/a:redhat:camel_k:1", "package": "quarkus-vertx-http", "product_name": "RHINT Camel-K-1.10.2", "release_date": "2023-09-21T00:00:00Z"}, {"advisory": "RHSA-2023:7653", "cpe": "cpe:/a:redhat:service_registry:2.5", "impact": "low", "package": "quarkus-vertx-http", "product_name": "RHINT Service Registry 2.5.4 GA", "release_date": "2023-12-05T00:00:00Z"}, {"advisory": "RHSA-2023:6112", "cpe": "cpe:/a:redhat:jboss_enterprise_bpms_platform:7.13", "product_name": "RHPAM 7.13.4 async", "release_date": "2023-10-25T00:00:00Z"}], "bugzilla": {"description": "quarkus: HTTP security policy bypass", "id": "2238034", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2238034"}, "csaw": true, "cvss3": {"cvss3_base_score": "8.1", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "status": "verified"}, "cwe": "CWE-148", "details": ["A flaw was found in Quarkus where HTTP security policies are not sanitizing certain character permutations correctly when accepting requests, resulting in incorrect evaluation of permissions. This issue could allow an attacker to bypass the security policy altogether, resulting in unauthorized endpoint access and possibly a denial of service.", "A flaw was found in Quarkus where HTTP security policies are not sanitizing certain character permutations correctly when accepting requests, resulting in incorrect evaluation of permissions. This issue could allow an attacker to bypass the security policy altogether, resulting in unauthorized endpoint access and possibly a denial of service."], "mitigation": {"lang": "en:us", "value": "Use a \u2018deny\u2019 wildcard for base paths, then authenticate specifics within that:\nExamples:\n```\ndeny: /*\nauthenticated: /services/*\n```\nor\n```\ndeny: /services/*\nroles-allowed: /services/rbac/*\n```\nNOTE: Products are only vulnerable if they use (or allow use of) path-based HTTP policy configuration. Products may also be affected\u2013shipping the component in question\u2013without being vulnerable (\u201caffected at reduced impact\u201d).\nSee https://access.redhat.com/security/vulnerabilities/RHSB-2023-002 for more detailed mitigations."}, "name": "CVE-2023-4853", "package_state": [{"cpe": "cpe:/a:redhat:jboss_enterprise_bpms_platform:7", "fix_state": "Will not fix", "package_name": "quarkus-vertx-http", "product_name": "Red Hat Process Automation 7"}], "public_date": "2023-09-08T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2023-4853\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-4853"], "threat_severity": "Important"}