Описание
A flaw was found in Quarkus where HTTP security policies are not sanitizing certain character permutations correctly when accepting requests, resulting in incorrect evaluation of permissions. This issue could allow an attacker to bypass the security policy altogether, resulting in unauthorized endpoint access and possibly a denial of service.
Меры по смягчению последствий
Use a ‘deny’ wildcard for base paths, then authenticate specifics within that: Examples:
or
NOTE: Products are only vulnerable if they use (or allow use of) path-based HTTP policy configuration. Products may also be affected–shipping the component in question–without being vulnerable (“affected at reduced impact”). See https://access.redhat.com/security/vulnerabilities/RHSB-2023-002 for more detailed mitigations.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Process Automation 7 | quarkus-vertx-http | Will not fix | ||
| Openshift Serverless 1 on RHEL 8 | openshift-serverless-clients | Fixed | RHSA-2023:5479 | 05.10.2023 |
| Red Hat build of OptaPlanner 8 | quarkus-vertx-http | Fixed | RHSA-2023:5446 | 04.10.2023 |
| Red Hat build of Quarkus 2.13.8.SP2 | io.quarkus/quarkus-keycloak-authorization | Fixed | RHSA-2023:5170 | 14.09.2023 |
| Red Hat build of Quarkus 2.13.8.SP2 | io.quarkus/quarkus-undertow | Fixed | RHSA-2023:5170 | 14.09.2023 |
| Red Hat build of Quarkus 2.13.8.SP2 | io.quarkus/quarkus-vertx-http | Fixed | RHSA-2023:5170 | 14.09.2023 |
| Red Hat Camel Extensions for Quarkus 2.13.3-1 | quarkus-vertx-http | Fixed | RHSA-2023:5310 | 20.09.2023 |
| Red Hat OpenShift Serverless 1.30 | openshift-serverless-1/client-kn-rhel8 | Fixed | RHSA-2023:5480 | 05.10.2023 |
| Red Hat OpenShift Serverless 1.30 | openshift-serverless-1/ingress-rhel8-operator | Fixed | RHSA-2023:5480 | 05.10.2023 |
| Red Hat OpenShift Serverless 1.30 | openshift-serverless-1/knative-rhel8-operator | Fixed | RHSA-2023:5480 | 05.10.2023 |
Показывать по
Дополнительная информация
Статус:
EPSS
8.1 High
CVSS3
Связанные уязвимости
A flaw was found in Quarkus where HTTP security policies are not sanitizing certain character permutations correctly when accepting requests, resulting in incorrect evaluation of permissions. This issue could allow an attacker to bypass the security policy altogether, resulting in unauthorized endpoint access and possibly a denial of service.
Quarkus HTTP vulnerable to incorrect evaluation of permissions
Уязвимость политики безопасности HTTP Java-фреймворка Quarkus, позволяющая нарушителю обойти ограничения безопасности, получить несанкционированный доступ к защищаемой информации или вызвать отказ в обслуживании
EPSS
8.1 High
CVSS3