Security features bypass in Red Hat build of Quarkus - CVE-2023-4853
Published: September 15, 2023
Vulnerability identifier: #VU80813
CSH Severity: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2023-4853
CWE-ID: CWE-254
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Red Hat build of Quarkus
Red Hat build of Quarkus
Software vendor:
Red Hat Inc.
Red Hat Inc.
Description
The vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to implemented HTTP security policies do not correctly sanitize certain character permutations, which may result in incorrect evaluation of permissions. A remote attacker can bypass the security policy altogether and gain unauthorized access to endpoints or perform a denial of service (DoS) attack.
Remediation
Install updates from vendor's website.