Main Vulnerability Database Vulnerabilities #VU83886

Cleartext transmission of sensitive information in Quarkus - CVE-2023-1584

Published: December 5, 2023

Vulnerability identifier: #VU83886

CSH Severity: Low

CVSSv4.0: CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2023-1584

CWE-ID: CWE-319

Exploitation vector: Adjecent network

Exploit availability: No public exploit available

Vulnerable software:
Quarkus

Software vendor:
Red Hat Inc.

Description

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to Quarkus OIDC can leak both ID and access tokens in the authorization code flow when an insecure HTTP protocol is used. A remote attacker can gain access to potentially sensitive information.

Remediation

Install updates from vendor's website.

External links

https://github.com/quarkusio/quarkus/pull/32192
https://access.redhat.com/security/cve/CVE-2023-1584
https://access.redhat.com/errata/RHSA-2023:3809
https://bugzilla.redhat.com/show_bug.cgi?id=2180886
https://github.com/quarkusio/quarkus/pull/33414

Cleartext transmission of sensitive information in Quarkus - CVE-2023-1584

Description

Remediation

External links

Please verify you're human