A flaw was found in Quarkus where HTTP security policies are not sanitizing certain character permutations correctly when accepting requests, resulting in incorrect evaluation of permissions. This issue could allow an attacker to bypass the security policy altogether, resulting in unauthorized endpoint access and possibly a denial of service.
Fixes

Solution

No solution given by the vendor.


Workaround

Use a ‘deny’ wildcard for base paths, then authenticate specifics within that: Examples: ``` deny: /* authenticated: /services/* ``` or ``` deny: /services/* roles-allowed: /services/rbac/* ``` NOTE: Products are only vulnerable if they use (or allow use of) path-based HTTP policy configuration. Products may also be affected–shipping the component in question–without being vulnerable (“affected at reduced impact”). See https://access.redhat.com/security/vulnerabilities/RHSB-2023-002 for more detailed mitigations.

History

No history.

cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2025-09-25T21:55:31.368Z

Reserved: 2023-09-08T16:10:38.379Z

Link: CVE-2023-4853

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2023-09-20T10:15:14.947

Modified: 2024-11-21T08:36:06.910

Link: CVE-2023-4853

cve-icon Redhat

Severity : Important

Publid Date: 2023-09-08T00:00:00Z

Links: CVE-2023-4853 - Bugzilla

cve-icon OpenCVE Enrichment

No data.