A flaw was found in Quarkus where HTTP security policies are not sanitizing certain character permutations correctly when accepting requests, resulting in incorrect evaluation of permissions. This issue could allow an attacker to bypass the security policy altogether, resulting in unauthorized endpoint access and possibly a denial of service.

Metrics

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00348.

Key SSVC decision points have not yet been added.

Affected Vendors & Products

Vendors Products
Quarkus
  • Quarkus
Redhat
  • Build Of Optaplanner
  • Build Of Quarkus
  • Camel K
  • Camel Quarkus
  • Decision Manager
  • Enterprise Linux
  • Integration Camel K
  • Integration Camel Quarkus
  • Integration Service Registry
  • Jboss Enterprise Bpms Platform
  • Jboss Middleware
  • Jboss Middleware Text-only Advisories
  • Openshift Container Platform
  • Openshift Serverless
  • Optaplanner
  • Process Automation Manager
  • Quarkus
  • Rhosemc
  • Serverless
  • Service Registry

Configuration 1 [-]

OR cpe:2.3:a:quarkus:quarkus:*:*:*:*:*:*:*:*
cpe:2.3:a:quarkus:quarkus:*:*:*:*:*:*:*:*
cpe:2.3:a:quarkus:quarkus:*:*:*:*:*:*:*:*

Configuration 2 [-]

OR cpe:2.3:a:redhat:build_of_optaplanner:8.0:*:*:*:*:*:*:*
cpe:2.3:a:redhat:build_of_quarkus:*:*:*:*:text-only:*:*:*
cpe:2.3:a:redhat:decision_manager:7.0:*:*:*:*:*:*:*
cpe:2.3:a:redhat:integration_camel_k:*:*:*:*:*:*:*:*
cpe:2.3:a:redhat:integration_camel_quarkus:-:*:*:*:*:*:*:*
cpe:2.3:a:redhat:integration_service_registry:-:*:*:*:*:*:*:*
cpe:2.3:a:redhat:jboss_middleware:1:*:*:*:*:*:*:*
cpe:2.3:a:redhat:jboss_middleware_text-only_advisories:1.0:*:*:*:*:middleware:*:*
cpe:2.3:a:redhat:openshift_serverless:-:*:*:*:*:*:*:*
cpe:2.3:a:redhat:openshift_serverless:1.0:*:*:*:*:*:*:*
cpe:2.3:a:redhat:process_automation_manager:7.0:*:*:*:*:*:*:*

Configuration 3 [-]

AND
OR cpe:2.3:a:redhat:openshift_container_platform:4.10:*:*:*:*:*:*:*
cpe:2.3:a:redhat:openshift_container_platform:4.11:*:*:*:*:*:*:*
cpe:2.3:a:redhat:openshift_container_platform:4.12:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*
Package CPE Advisory Released Date
Openshift Serverless 1 on RHEL 8
openshift-serverless-clients-0:1.9.2-3.el8 cpe:/a:redhat:serverless:1.0::el8 RHSA-2023:5479 2023-10-05T00:00:00Z
Red Hat build of OptaPlanner 8
quarkus-vertx-http cpe:/a:redhat:optaplanner:::el6 RHSA-2023:5446 2023-10-04T00:00:00Z
Red Hat build of Quarkus 2.13.8.SP2
io.quarkus/quarkus-keycloak-authorization:2.13.8.Final-redhat-00005 cpe:/a:redhat:quarkus:2.13::el8 RHSA-2023:5170 2023-09-14T00:00:00Z
io.quarkus/quarkus-undertow:2.13.8.Final-redhat-00005 cpe:/a:redhat:quarkus:2.13::el8 RHSA-2023:5170 2023-09-14T00:00:00Z
io.quarkus/quarkus-vertx-http:2.13.8.Final-redhat-00005 cpe:/a:redhat:quarkus:2.13::el8 RHSA-2023:5170 2023-09-14T00:00:00Z
Red Hat Camel Extensions for Quarkus 2.13.3-1
quarkus-vertx-http cpe:/a:redhat:camel_quarkus:2.13 RHSA-2023:5310 2023-09-20T00:00:00Z
Red Hat OpenShift Serverless 1.30
openshift-serverless-1/client-kn-rhel8:1.9.2-3 cpe:/a:redhat:openshift_serverless:1.30::el8 RHSA-2023:5480 2023-10-05T00:00:00Z
openshift-serverless-1/ingress-rhel8-operator:1.30.1-1 cpe:/a:redhat:openshift_serverless:1.30::el8 RHSA-2023:5480 2023-10-05T00:00:00Z
openshift-serverless-1/knative-rhel8-operator:1.30.1-1 cpe:/a:redhat:openshift_serverless:1.30::el8 RHSA-2023:5480 2023-10-05T00:00:00Z
openshift-serverless-1/kn-cli-artifacts-rhel8:1.9.2-3 cpe:/a:redhat:openshift_serverless:1.30::el8 RHSA-2023:5480 2023-10-05T00:00:00Z
openshift-serverless-1/serverless-operator-bundle:1.30.1-1 cpe:/a:redhat:openshift_serverless:1.30::el8 RHSA-2023:5480 2023-10-05T00:00:00Z
openshift-serverless-1/serverless-rhel8-operator:1.30.1-1 cpe:/a:redhat:openshift_serverless:1.30::el8 RHSA-2023:5480 2023-10-05T00:00:00Z
openshift-serverless-1/svls-must-gather-rhel8:1.30.1-1 cpe:/a:redhat:openshift_serverless:1.30::el8 RHSA-2023:5480 2023-10-05T00:00:00Z
openshift-serverless-1-tech-preview/logic-data-index-ephemeral-rhel8:1.30.0-5 cpe:/a:redhat:openshift_serverless:1.30::el8 RHSA-2023:5480 2023-10-05T00:00:00Z
openshift-serverless-1-tech-preview/logic-swf-builder-rhel8:1.30.0-6 cpe:/a:redhat:openshift_serverless:1.30::el8 RHSA-2023:5480 2023-10-05T00:00:00Z
openshift-serverless-1-tech-preview/logic-swf-devmode-rhel8:1.30.0-6 cpe:/a:redhat:openshift_serverless:1.30::el8 RHSA-2023:5480 2023-10-05T00:00:00Z
RHEL-8 based Middleware Containers
rhpam-7/rhpam-kogito-builder-rhel8:7.13.4-3 cpe:/a:redhat:rhosemc:1.0::el8 RHSA-2023:6107 2023-10-25T00:00:00Z
rhpam-7/rhpam-kogito-rhel8-operator:7.13.4-2 cpe:/a:redhat:rhosemc:1.0::el8 RHSA-2023:6107 2023-10-25T00:00:00Z
rhpam-7/rhpam-kogito-rhel8-operator-bundle:7.13.4-2 cpe:/a:redhat:rhosemc:1.0::el8 RHSA-2023:6107 2023-10-25T00:00:00Z
rhpam-7/rhpam-kogito-runtime-jvm-rhel8:7.13.4-3 cpe:/a:redhat:rhosemc:1.0::el8 RHSA-2023:6107 2023-10-25T00:00:00Z
rhpam-7-tech-preview/rhpam-kogito-runtime-native-rhel8:7.13.4-3 cpe:/a:redhat:rhosemc:1.0::el8 RHSA-2023:6107 2023-10-25T00:00:00Z
RHINT Camel-K-1.10.2
quarkus-vertx-http cpe:/a:redhat:camel_k:1 RHSA-2023:5337 2023-09-21T00:00:00Z
RHINT Service Registry 2.5.4 GA
quarkus-vertx-http cpe:/a:redhat:service_registry:2.5 RHSA-2023:7653 2023-12-05T00:00:00Z
RHPAM 7.13.4 async
cpe:/a:redhat:jboss_enterprise_bpms_platform:7.13 RHSA-2023:6112 2023-10-25T00:00:00Z

No data.

Advisories
Source ID Title
EUVD EUVD EUVD-2023-2416 A flaw was found in Quarkus where HTTP security policies are not sanitizing certain character permutations correctly when accepting requests, resulting in incorrect evaluation of permissions. This issue could allow an attacker to bypass the security policy altogether, resulting in unauthorized endpoint access and possibly a denial of service.
Github GHSA Github GHSA GHSA-4f4r-wgv2-jjvg Quarkus HTTP vulnerable to incorrect evaluation of permissions
Fixes

Solution

No solution given by the vendor.

Workaround

Use a ‘deny’ wildcard for base paths, then authenticate specifics within that: Examples: ``` deny: /* authenticated: /services/* ``` or ``` deny: /services/* roles-allowed: /services/rbac/* ``` NOTE: Products are only vulnerable if they use (or allow use of) path-based HTTP policy configuration. Products may also be affected–shipping the component in question–without being vulnerable (“affected at reduced impact”). See https://access.redhat.com/security/vulnerabilities/RHSB-2023-002 for more detailed mitigations.

References
Link Providers
https://access.redhat.com/errata/RHSA-2023:5170 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2023:5310 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2023:5337 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2023:5446 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2023:5479 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2023:5480 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2023:6107 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2023:6112 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2023:7653 cve-icon cve-icon
https://access.redhat.com/security/cve/CVE-2023-4853 cve-icon cve-icon
https://access.redhat.com/security/vulnerabilities/RHSB-2023-002 cve-icon cve-icon
https://bugzilla.redhat.com/show_bug.cgi?id=2238034 cve-icon cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2023-4853 cve-icon
https://www.cve.org/CVERecord?id=CVE-2023-4853 cve-icon
History

No history.

cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2025-10-09T11:49:24.838Z

Reserved: 2023-09-08T16:10:38.379Z

Link: CVE-2023-4853

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2023-09-20T10:15:14.947

Modified: 2024-11-21T08:36:06.910

Link: CVE-2023-4853

cve-icon Redhat

Severity : Important

Publid Date: 2023-09-08T00:00:00Z

Links: CVE-2023-4853 - Bugzilla

cve-icon OpenCVE Enrichment

No data.