8.1 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
0.002 Low
EPSS
Percentile
58.7%
A flaw was found in Quarkus where HTTP security policies are not sanitizing certain character permutations correctly when accepting requests, resulting in incorrect evaluation of permissions. This issue could allow an attacker to bypass the security policy altogether, resulting in unauthorized endpoint access and possibly a denial of service.
access.redhat.com/articles/11258
access.redhat.com/errata/RHSA-2023:5170
access.redhat.com/errata/RHSA-2023:5310
access.redhat.com/errata/RHSA-2023:5337
access.redhat.com/errata/RHSA-2023:5446
access.redhat.com/errata/RHSA-2023:5479
access.redhat.com/errata/RHSA-2023:5480
access.redhat.com/errata/RHSA-2023:6107
access.redhat.com/errata/RHSA-2023:6112
access.redhat.com/errata/RHSA-2023:7653
access.redhat.com/security/cve/CVE-2023-4853
access.redhat.com/security/vulnerabilities/RHSB-2023-002
bugzilla.redhat.com/show_bug.cgi?id=2238034
github.com/quarkusio/quarkus
github.com/quarkusio/quarkus/discussions/35940
github.com/quarkusio/quarkus/issues/35785
nvd.nist.gov/vuln/detail/CVE-2023-4853