Описание
quarkus-core vulnerable to client driven TLS cipher downgrading
A vulnerability was found in quarkus-core. This vulnerability occurs because the TLS protocol configured with quarkus.http.ssl.protocols is not enforced, and the client can force the selection of the weaker supported TLS protocol.
Ссылки
- https://nvd.nist.gov/vuln/detail/CVE-2023-2974
- https://github.com/quarkusio/quarkus/pull/34469
- https://github.com/quarkusio/quarkus/commit/468397ae53a8d6aae933d0d406f94965e97d1935
- https://access.redhat.com/errata/RHSA-2023:3809
- https://access.redhat.com/security/cve/CVE-2023-2974
- https://bugzilla.redhat.com/show_bug.cgi?id=2211026
Пакеты
io.quarkus:quarkus-core
< 2.16.8.Final
2.16.8.Final
Связанные уязвимости
A vulnerability was found in quarkus-core. This vulnerability occurs because the TLS protocol configured with quarkus.http.ssl.protocols is not enforced, and the client can force the selection of the weaker supported TLS protocol.
A vulnerability was found in quarkus-core. This vulnerability occurs because the TLS protocol configured with quarkus.http.ssl.protocols is not enforced, and the client can force the selection of the weaker supported TLS protocol.
Уязвимость реализации протокола TLS Java-фреймворка Quarkus, позволяющая нарушителю получить несанкционированный доступ к защищаемой информации