RedhatCVELIST:CVE-2023-2974CVE-2023-2974 Quarkus-core: tls protocol configured with quarkus.http.ssl.protocols is not enforced, client can enforce weaker supported tls protocol
6.5 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N
8.2 High
AI Score
Confidence
High
0.001 Low
EPSS
Percentile
24.8%
A vulnerability was found in quarkus-core. This vulnerability occurs because the TLS protocol configured with quarkus.http.ssl.protocols is not enforced, and the client can force the selection of the weaker supported TLS protocol.
CNA Affected
[
{
"vendor": "Red Hat",
"product": "Red Hat build of Quarkus 2.13.8.Final",
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"packageName": "io.quarkus/quarkus-grpc",
"defaultStatus": "affected",
"versions": [
{
"version": "2.13.8.Final-redhat-00004",
"lessThan": "*",
"versionType": "rpm",
"status": "unaffected"
}
],
"cpes": [
"cpe:/a:redhat:quarkus:2.13"
]
},
{
"vendor": "Red Hat",
"product": "Red Hat build of Quarkus 2.13.8.Final",
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"packageName": "io.quarkus/quarkus-vertx-http",
"defaultStatus": "affected",
"versions": [
{
"version": "2.13.8.Final-redhat-00004",
"lessThan": "*",
"versionType": "rpm",
"status": "unaffected"
}
],
"cpes": [
"cpe:/a:redhat:quarkus:2.13"
]
}
]Related
6.5 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N
8.2 High
AI Score
Confidence
High
0.001 Low
EPSS
Percentile
24.8%