CVE-2023-4853

HIGH

Quarkus < 2.16.11 - HTTP Security Policy Bypass via Input Neutralization Flaw

Title source: llm

Description

A flaw was found in Quarkus where HTTP security policies are not sanitizing certain character permutations correctly when accepting requests, resulting in incorrect evaluation of permissions. This issue could allow an attacker to bypass the security policy altogether, resulting in unauthorized endpoint access and possibly a denial of service.

References (12)

Core 12

Core References

Vendor Advisory vendor-advisory x_refsource_redhat

https://access.redhat.com/errata/RHSA-2023:5170

Vendor Advisory vendor-advisory x_refsource_redhat

https://access.redhat.com/errata/RHSA-2023:5310

Vendor Advisory vendor-advisory x_refsource_redhat

https://access.redhat.com/errata/RHSA-2023:5337

Vendor Advisory vendor-advisory x_refsource_redhat

https://access.redhat.com/errata/RHSA-2023:5446

Vendor Advisory vendor-advisory x_refsource_redhat

https://access.redhat.com/errata/RHSA-2023:5479

Vendor Advisory vendor-advisory x_refsource_redhat

https://access.redhat.com/errata/RHSA-2023:5480

Vendor Advisory vendor-advisory x_refsource_redhat

https://access.redhat.com/errata/RHSA-2023:6107

Vendor Advisory vendor-advisory x_refsource_redhat

https://access.redhat.com/errata/RHSA-2023:6112

Vendor Advisory vendor-advisory x_refsource_redhat

https://access.redhat.com/errata/RHSA-2023:7653

Mitigation, Vendor Advisory vdb-entry x_refsource_redhat

https://access.redhat.com/security/cve/CVE-2023-4853

Exploit, Mitigation, Technical Description, Vendor Advisory technical-description x_refsource_redhat

https://access.redhat.com/security/vulnerabilities/RHSB-2023-002

Issue Tracking, Vendor Advisory issue-tracking x_refsource_redhat

https://bugzilla.redhat.com/show_bug.cgi?id=2238034

Scores

CVSS v3 8.1

EPSS 0.0046

EPSS Percentile 64.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-148 CWE-863

Status published

Products (19)

io.quarkus/quarkus-csrf-reactive 0 - 2.16.11.FinalMaven

io.quarkus/quarkus-keycloak-authorization 0 - 2.16.11.FinalMaven

io.quarkus/quarkus-undertow 0 - 2.16.11.FinalMaven

io.quarkus/quarkus-vertx-http 0 - 2.16.11.FinalMaven

quarkus/quarkus < 2.16.11

redhat/build_of_optaplanner 8.0

redhat/build_of_quarkus 2.13.0 - 2.13.8

redhat/decision_manager 7.0

redhat/integration_camel_k < 1.10.2

redhat/integration_camel_quarkus

... and 9 more

Published Sep 20, 2023

Tracked Since Feb 18, 2026