#VU80813 Security features bypass in Red Hat build of Quarkus - CVE-2023-4853

Vulnerability identifier: #VU80813

Vulnerability risk: Medium

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2023-4853

CWE-ID: CWE-254

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Red Hat build of Quarkus
Server applications / Other server solutions

Vendor: Red Hat Inc.

Description

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to implemented HTTP security policies do not correctly sanitize certain character permutations, which may result in incorrect evaluation of permissions. A remote attacker can bypass the security policy altogether and gain unauthorized access to endpoints or perform a denial of service (DoS) attack.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Red Hat build of Quarkus: before 2.13.8

---

External links
https://access.redhat.com/errata/RHSA-2023:5170
https://bugzilla.redhat.com/show_bug.cgi?id=2238034

---

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.