Main Vulnerability Database Vulnerabilities #VU83886

Cleartext transmission of sensitive information in Quarkus - CVE-2023-1584

Published: December 5, 2023

Vulnerability identifier: #VU83886

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2023-1584

CWE-ID: CWE-319

Exploitation vector: Adjecent network

Exploit availability: No public exploit available

Vendor: Red Hat Inc.

Affected software:
Quarkus

Detailed vulnerability description

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to Quarkus OIDC can leak both ID and access tokens in the authorization code flow when an insecure HTTP protocol is used. A remote attacker can gain access to potentially sensitive information.

How to mitigate CVE-2023-1584

Install updates from vendor's website.

Sources

https://github.com/quarkusio/quarkus/pull/32192
https://access.redhat.com/security/cve/CVE-2023-1584
https://access.redhat.com/errata/RHSA-2023:3809
https://bugzilla.redhat.com/show_bug.cgi?id=2180886
https://github.com/quarkusio/quarkus/pull/33414

Cleartext transmission of sensitive information in Quarkus - CVE-2023-1584

Detailed vulnerability description

How to mitigate CVE-2023-1584

Sources

Please verify you're human