Описание
A flaw was found in Quarkus REST that allows request parameters to leak between concurrent requests if endpoints use field injection without a CDI scope. This vulnerability allows attackers to manipulate request data, impersonate users, or access sensitive information.
Отчет
This vulnerability marked as important severity rather than moderate because it leads to cross-request data leakage, which can compromise the confidentiality and integrity of user interactions. In a concurrent environment, multiple requests being served by a single, shared instance of an endpoint class means that sensitive request data—such as authentication headers, cookies, or form parameters—can be inadvertently exposed to other users. This violates fundamental HTTP request isolation principles, potentially leading to session hijacking, unauthorized access, or privilege escalation.
Меры по смягчению последствий
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Дополнительная информация
Статус:
EPSS
8.3 High
CVSS3
Связанные уязвимости
A flaw was found in Quarkus REST that allows request parameters to leak between concurrent requests if endpoints use field injection without a CDI scope. This vulnerability allows attackers to manipulate request data, impersonate users, or access sensitive information.
Quarkus REST Endpoint Request Parameter Leakage Due to Shared Instance
EPSS
8.3 High
CVSS3