CVE-2022-4147

2022-12-0619:15:10

CWE-1026

[email protected]

web.nvd.nist.gov

cve-2022-4147

quarkus

cors filter

get

post

xmlhttprequest

security vulnerability

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

7.5 High

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

58.4%

JSON

Quarkus CORS filter allows simple GET and POST requests with invalid Origin to proceed. Simple GET or POST requests made with XMLHttpRequest are the ones which have no event listeners registered on the object returned by the XMLHttpRequest upload property and have no ReadableStream object used in the request.

Affected configurations

Vulners

NVD

Node

redhatbuild_of_quarkusRange≤2

VendorProductVersionCPE
redhatbuild_of_quarkus*cpe:2.3:a:redhat:build_of_quarkus:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
redhat	build_of_quarkus	*	cpe:2.3:a:redhat:build_of_quarkus::::::::

CNA Affected

[
  {
    "vendor": "n/a",
    "product": "quarkus-2",
    "versions": [
      {
        "version": "2",
        "status": "affected"
      }
    ]
  }
]