CVE-2023-6393

2023-12-0617:15:07

CWE-200

[email protected]

web.nvd.nist.gov

cve-2023-6393

quarkus

cache runtime

uni

@cacheresult

request processing

security vulnerability

nvd

sensitive data

unauthorized access

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N

5 Medium

AI Score

Confidence

High

0.0005 Low

EPSS

Percentile

18.1%

JSON

A flaw was found in the Quarkus Cache Runtime. When request processing utilizes a Uni cached using @CacheResult and the cached Uni reuses the initial “completion” context, the processing switches to the cached Uni instead of the request context. This is a problem if the cached Uni context contains sensitive information, and could allow a malicious user to benefit from a POST request returning the response that is meant for another user, gaining access to sensitive data.

Affected configurations

NVD

Node

redhatbuild_of_quarkusMatch-

CPENameOperatorVersion
redhat:build_of_quarkusredhat build of quarkuseq-

CPE	Name	Operator	Version
redhat:build_of_quarkus	redhat build of quarkus	eq	-

CNA Affected

[
  {
    "vendor": "Red Hat",
    "product": "Red Hat build of Quarkus",
    "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
    "packageName": "io.quarkus/quarkus-cache",
    "defaultStatus": "affected",
    "cpes": [
      "cpe:/a:redhat:quarkus:2"
    ]
  }
]