Code injection in quarkus dev ui config editor

2022-11-2221:30:17

Google

osv.dev

quarkus

dev ui

config editor

security flaw

drive-by localhost attacks

remote code execution

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

0.007 Low

EPSS

Percentile

80.8%

JSON

A vulnerability was found in quarkus. This security flaw happens in Dev UI Config Editor which is vulnerable to drive-by localhost attacks leading to remote code execution.

CPENameOperatorVersion
io.quarkus:quarkus-vertx-http-deploymenteq1.12.2.Final
io.quarkus:quarkus-vertx-http-deploymenteq2.2.1.Final
io.quarkus:quarkus-vertx-http-deploymenteq1.3.3.Final
io.quarkus:quarkus-vertx-http-deploymenteq2.0.3.Final
io.quarkus:quarkus-vertx-http-deploymenteq2.6.0.Final
io.quarkus:quarkus-vertx-http-deploymenteq1.3.0.CR2
io.quarkus:quarkus-vertx-http-deploymenteq2.11.2.Final
io.quarkus:quarkus-vertx-http-deploymenteq1.10.0.Final
io.quarkus:quarkus-vertx-http-deploymenteq2.12.1.Final
io.quarkus:quarkus-vertx-http-deploymenteq2.10.0.CR1

Name	Operator	Version
io.quarkus:quarkus-vertx-http-deployment	eq	1.12.2.Final
io.quarkus:quarkus-vertx-http-deployment	eq	2.2.1.Final
io.quarkus:quarkus-vertx-http-deployment	eq	1.3.3.Final
io.quarkus:quarkus-vertx-http-deployment	eq	2.0.3.Final
io.quarkus:quarkus-vertx-http-deployment	eq	2.6.0.Final
io.quarkus:quarkus-vertx-http-deployment	eq	1.3.0.CR2
io.quarkus:quarkus-vertx-http-deployment	eq	2.11.2.Final
io.quarkus:quarkus-vertx-http-deployment	eq	1.10.0.Final
io.quarkus:quarkus-vertx-http-deployment	eq	2.12.1.Final
io.quarkus:quarkus-vertx-http-deployment	eq	2.10.0.CR1