Lucene search

GitHub Advisory DatabaseGHSA-G56W-CWG4-HXX9

HistoryNov 22, 2022 - 9:30 p.m.

Code injection in quarkus dev ui config editor

2022-11-2221:30:17

CWE-74

CWE-94

GitHub Advisory Database

github.com

quarkus

vulnerability

code injection

dev ui

config editor

localhost attack

remote code execution

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

0.007 Low

EPSS

Percentile

80.8%

JSON

A vulnerability was found in quarkus. This security flaw happens in Dev UI Config Editor which is vulnerable to drive-by localhost attacks leading to remote code execution.

Affected configurations

Vulners

Node

io.quarkus\quarkusMatchcache

CPENameOperatorVersion
io.quarkus:quarkus-vertx-http-deploymentlt2.13.5.Final
io.quarkus:quarkus-vertx-http-deploymentlt2.14.2.Final

CPE	Name	Operator	Version
	io.quarkus:quarkus-vertx-http-deployment	lt	2.13.5.Final
	io.quarkus:quarkus-vertx-http-deployment	lt	2.14.2.Final

References

access.redhat.com/security/cve/CVE-2022-4116

bugzilla.redhat.com/show_bug.cgi?id=2144748

github.com/advisories/GHSA-g56w-cwg4-hxx9

github.com/quarkusio/quarkus/discussions/29527

github.com/quarkusio/quarkus/discussions/29527#discussioncomment-4387809

nvd.nist.gov/vuln/detail/CVE-2022-4116

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

0.007 Low

EPSS

Percentile

80.8%

JSON

Related for GHSA-G56W-CWG4-HXX9