CVE-2023-4853

high

Description

A flaw was found in Quarkus where HTTP security policies are not sanitizing certain character permutations correctly when accepting requests, resulting in incorrect evaluation of permissions. This issue could allow an attacker to bypass the security policy altogether, resulting in unauthorized endpoint access and possibly a denial of service.

References

https://bugzilla.redhat.com/show_bug.cgi?id=2238034

https://access.redhat.com/security/vulnerabilities/RHSB-2023-002

https://access.redhat.com/security/cve/CVE-2023-4853

https://access.redhat.com/errata/RHSA-2023:7653

https://access.redhat.com/errata/RHSA-2023:6112

https://access.redhat.com/errata/RHSA-2023:6107

https://access.redhat.com/errata/RHSA-2023:5480

https://access.redhat.com/errata/RHSA-2023:5479

https://access.redhat.com/errata/RHSA-2023:5446

https://access.redhat.com/errata/RHSA-2023:5337

https://access.redhat.com/errata/RHSA-2023:5310

https://access.redhat.com/errata/RHSA-2023:5170

Details

Source: Mitre, NVD

Published: 2023-09-20

Updated: 2023-12-21

Risk Information

CVSS v2

Base Score: 7.6

Vector: CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C

Severity: High

CVSS v3

Base Score: 8.1

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Severity: High