{ "threat_severity" : "Important", "public_date" : "2023-09-08T00:00:00Z", "bugzilla" : { "description" : "quarkus: HTTP security policy bypass", "id" : "2238034", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2238034" }, "cvss3" : { "cvss3_base_score" : "8.1", "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "status" : "verified" }, "cwe" : "CWE-148", "details" : [ "A flaw was found in Quarkus where HTTP security policies are not sanitizing certain character permutations correctly when accepting requests, resulting in incorrect evaluation of permissions. This issue could allow an attacker to bypass the security policy altogether, resulting in unauthorized endpoint access and possibly a denial of service.", "A flaw was found in Quarkus where HTTP security policies are not sanitizing certain character permutations correctly when accepting requests, resulting in incorrect evaluation of permissions. This issue could allow an attacker to bypass the security policy altogether, resulting in unauthorized endpoint access and possibly a denial of service." ], "affected_release" : [ { "product_name" : "Openshift Serverless 1 on RHEL 8", "release_date" : "2023-10-05T00:00:00Z", "advisory" : "RHSA-2023:5479", "cpe" : "cpe:/a:redhat:serverless:1.0::el8", "package" : "openshift-serverless-clients-0:1.9.2-3.el8" }, { "product_name" : "Red Hat build of OptaPlanner 8", "release_date" : "2023-10-04T00:00:00Z", "advisory" : "RHSA-2023:5446", "cpe" : "cpe:/a:redhat:optaplanner:::el6", "package" : "quarkus-vertx-http" }, { "product_name" : "Red Hat build of Quarkus 2.13.8.SP2", "release_date" : "2023-09-14T00:00:00Z", "advisory" : "RHSA-2023:5170", "cpe" : "cpe:/a:redhat:quarkus:2.13::el8", "package" : "io.quarkus/quarkus-keycloak-authorization:2.13.8.Final-redhat-00005" }, { "product_name" : "Red Hat build of Quarkus 2.13.8.SP2", "release_date" : "2023-09-14T00:00:00Z", "advisory" : "RHSA-2023:5170", "cpe" : "cpe:/a:redhat:quarkus:2.13::el8", "package" : "io.quarkus/quarkus-undertow:2.13.8.Final-redhat-00005" }, { "product_name" : "Red Hat build of Quarkus 2.13.8.SP2", "release_date" : "2023-09-14T00:00:00Z", "advisory" : "RHSA-2023:5170", "cpe" : "cpe:/a:redhat:quarkus:2.13::el8", "package" : "io.quarkus/quarkus-vertx-http:2.13.8.Final-redhat-00005" }, { "product_name" : "Red Hat Camel Extensions for Quarkus 2.13.3-1", "release_date" : "2023-09-20T00:00:00Z", "advisory" : "RHSA-2023:5310", "cpe" : "cpe:/a:redhat:camel_quarkus:2.13", "package" : "quarkus-vertx-http", "impact" : "low" }, { "product_name" : "Red Hat OpenShift Serverless 1.30", "release_date" : "2023-10-05T00:00:00Z", "advisory" : "RHSA-2023:5480", "cpe" : "cpe:/a:redhat:openshift_serverless:1.30::el8", "package" : "openshift-serverless-1/client-kn-rhel8:1.9.2-3" }, { "product_name" : "Red Hat OpenShift Serverless 1.30", "release_date" : "2023-10-05T00:00:00Z", "advisory" : "RHSA-2023:5480", "cpe" : "cpe:/a:redhat:openshift_serverless:1.30::el8", "package" : "openshift-serverless-1/ingress-rhel8-operator:1.30.1-1" }, { "product_name" : "Red Hat OpenShift Serverless 1.30", "release_date" : "2023-10-05T00:00:00Z", "advisory" : "RHSA-2023:5480", "cpe" : "cpe:/a:redhat:openshift_serverless:1.30::el8", "package" : "openshift-serverless-1/knative-rhel8-operator:1.30.1-1" }, { "product_name" : "Red Hat OpenShift Serverless 1.30", "release_date" : "2023-10-05T00:00:00Z", "advisory" : "RHSA-2023:5480", "cpe" : "cpe:/a:redhat:openshift_serverless:1.30::el8", "package" : "openshift-serverless-1/kn-cli-artifacts-rhel8:1.9.2-3" }, { "product_name" : "Red Hat OpenShift Serverless 1.30", "release_date" : "2023-10-05T00:00:00Z", "advisory" : "RHSA-2023:5480", "cpe" : "cpe:/a:redhat:openshift_serverless:1.30::el8", "package" : "openshift-serverless-1/serverless-operator-bundle:1.30.1-1" }, { "product_name" : "Red Hat OpenShift Serverless 1.30", "release_date" : "2023-10-05T00:00:00Z", "advisory" : "RHSA-2023:5480", "cpe" : "cpe:/a:redhat:openshift_serverless:1.30::el8", "package" : "openshift-serverless-1/serverless-rhel8-operator:1.30.1-1" }, { "product_name" : "Red Hat OpenShift Serverless 1.30", "release_date" : "2023-10-05T00:00:00Z", "advisory" : "RHSA-2023:5480", "cpe" : "cpe:/a:redhat:openshift_serverless:1.30::el8", "package" : "openshift-serverless-1/svls-must-gather-rhel8:1.30.1-1" }, { "product_name" : "Red Hat OpenShift Serverless 1.30", "release_date" : "2023-10-05T00:00:00Z", "advisory" : "RHSA-2023:5480", "cpe" : "cpe:/a:redhat:openshift_serverless:1.30::el8", "package" : "openshift-serverless-1-tech-preview/logic-data-index-ephemeral-rhel8:1.30.0-5" }, { "product_name" : "Red Hat OpenShift Serverless 1.30", "release_date" : "2023-10-05T00:00:00Z", "advisory" : "RHSA-2023:5480", "cpe" : "cpe:/a:redhat:openshift_serverless:1.30::el8", "package" : "openshift-serverless-1-tech-preview/logic-swf-builder-rhel8:1.30.0-6" }, { "product_name" : "Red Hat OpenShift Serverless 1.30", "release_date" : "2023-10-05T00:00:00Z", "advisory" : "RHSA-2023:5480", "cpe" : "cpe:/a:redhat:openshift_serverless:1.30::el8", "package" : "openshift-serverless-1-tech-preview/logic-swf-devmode-rhel8:1.30.0-6" }, { "product_name" : "RHEL-8 based Middleware Containers", "release_date" : "2023-10-25T00:00:00Z", "advisory" : "RHSA-2023:6107", "cpe" : "cpe:/a:redhat:rhosemc:1.0::el8", "package" : "rhpam-7/rhpam-kogito-builder-rhel8:7.13.4-3" }, { "product_name" : "RHEL-8 based Middleware Containers", "release_date" : "2023-10-25T00:00:00Z", "advisory" : "RHSA-2023:6107", "cpe" : "cpe:/a:redhat:rhosemc:1.0::el8", "package" : "rhpam-7/rhpam-kogito-rhel8-operator:7.13.4-2" }, { "product_name" : "RHEL-8 based Middleware Containers", "release_date" : "2023-10-25T00:00:00Z", "advisory" : "RHSA-2023:6107", "cpe" : "cpe:/a:redhat:rhosemc:1.0::el8", "package" : "rhpam-7/rhpam-kogito-rhel8-operator-bundle:7.13.4-2" }, { "product_name" : "RHEL-8 based Middleware Containers", "release_date" : "2023-10-25T00:00:00Z", "advisory" : "RHSA-2023:6107", "cpe" : "cpe:/a:redhat:rhosemc:1.0::el8", "package" : "rhpam-7/rhpam-kogito-runtime-jvm-rhel8:7.13.4-3" }, { "product_name" : "RHEL-8 based Middleware Containers", "release_date" : "2023-10-25T00:00:00Z", "advisory" : "RHSA-2023:6107", "cpe" : "cpe:/a:redhat:rhosemc:1.0::el8", "package" : "rhpam-7-tech-preview/rhpam-kogito-runtime-native-rhel8:7.13.4-3" }, { "product_name" : "RHINT Camel-K-1.10.2", "release_date" : "2023-09-21T00:00:00Z", "advisory" : "RHSA-2023:5337", "cpe" : "cpe:/a:redhat:camel_k:1", "package" : "quarkus-vertx-http" }, { "product_name" : "RHINT Service Registry 2.5.4 GA", "release_date" : "2023-12-05T00:00:00Z", "advisory" : "RHSA-2023:7653", "cpe" : "cpe:/a:redhat:service_registry:2.5", "package" : "quarkus-vertx-http", "impact" : "low" }, { "product_name" : "RHPAM 7.13.4 async", "release_date" : "2023-10-25T00:00:00Z", "advisory" : "RHSA-2023:6112", "cpe" : "cpe:/a:redhat:jboss_enterprise_bpms_platform:7.13" } ], "package_state" : [ { "product_name" : "Red Hat Process Automation 7", "fix_state" : "Will not fix", "package_name" : "quarkus-vertx-http", "cpe" : "cpe:/a:redhat:jboss_enterprise_bpms_platform:7" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2023-4853\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-4853" ], "csaw" : true, "name" : "CVE-2023-4853", "mitigation" : { "value" : "Use a ‘deny’ wildcard for base paths, then authenticate specifics within that:\nExamples:\n```\ndeny: /*\nauthenticated: /services/*\n```\nor\n```\ndeny: /services/*\nroles-allowed: /services/rbac/*\n```\nNOTE: Products are only vulnerable if they use (or allow use of) path-based HTTP policy configuration. Products may also be affected–shipping the component in question–without being vulnerable (“affected at reduced impact”).\nSee https://access.redhat.com/security/vulnerabilities/RHSB-2023-002 for more detailed mitigations.", "lang" : "en:us" } }