Описание
Quarkus is a Cloud Native, (Linux) Container First framework for writing Java applications. In versions prior to 3.24.0, there is a potential data leak when duplicating a duplicated context. Quarkus extensively uses the Vert.x duplicated context to implement context propagation. With the new semantic data from one transaction can leak to the data from another transaction. From a Vert.x point of view, this new semantic clarifies the behavior. A significant amount of data is stored in the duplicated context, including request scope, security details, and metadata. Duplicating a duplicated context is rather rare and is only done in a few places. This issue has been patched in version 3.24.0.
A data leak vulnerability has been discovered in the io.quarkus:quarkus-vertx package. This flaw can lead to information disclosure if a Vert.x context that has already been duplicated is subsequently duplicated again. In such a scenario, sensitive data residing within that context may be unintentionally exposed.
Меры по смягчению последствий
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Cryostat 4 | quarkus-vertx | Fix deferred | ||
| OpenShift Serverless | openshift-serverless-1/kn-ekb-dispatcher-rhel8 | Fix deferred | ||
| OpenShift Serverless | openshift-serverless-1/kn-ekb-kafka-controller-rhel8 | Fix deferred | ||
| OpenShift Serverless | openshift-serverless-1/kn-ekb-post-install-rhel8 | Fix deferred | ||
| OpenShift Serverless | openshift-serverless-1/kn-ekb-receiver-rhel8 | Fix deferred | ||
| OpenShift Serverless | openshift-serverless-1/kn-ekb-webhook-kafka-rhel8 | Fix deferred | ||
| OpenShift Serverless | openshift-serverless-1/kn-eventing-integrations-aws-ddb-streams-source-rhel8 | Fix deferred | ||
| OpenShift Serverless | openshift-serverless-1/kn-eventing-integrations-aws-s3-sink-rhel8 | Fix deferred | ||
| OpenShift Serverless | openshift-serverless-1/kn-eventing-integrations-aws-s3-source-rhel8 | Fix deferred | ||
| OpenShift Serverless | openshift-serverless-1/kn-eventing-integrations-aws-sns-sink-rhel8 | Fix deferred |
Показывать по
Ссылки на источники
Дополнительная информация
Статус:
EPSS
6.4 Medium
CVSS3
Связанные уязвимости
Quarkus is a Cloud Native, (Linux) Container First framework for writing Java applications. In versions prior to 3.24.0, there is a potential data leak when duplicating a duplicated context. Quarkus extensively uses the Vert.x duplicated context to implement context propagation. With the new semantic data from one transaction can leak to the data from another transaction. From a Vert.x point of view, this new semantic clarifies the behavior. A significant amount of data is stored in the duplicated context, including request scope, security details, and metadata. Duplicating a duplicated context is rather rare and is only done in a few places. This issue has been patched in version 3.24.0.
Quarkus potentially leaks data when duplicating a duplicated context
EPSS
6.4 Medium
CVSS3