Vulnerability Description
A flaw was found in Quarkus. Quarkus OIDC can leak both ID and access tokens in the authorization code flow when an insecure HTTP protocol is used, which can allow attackers to access sensitive user data directly from the ID token or by using the access token to access user data from OIDC provider services. Please note that passwords are not stored in access tokens.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Quarkus | Quarkus | < 2.13.8 |
Related Weaknesses (CWE)
References
- https://access.redhat.com/errata/RHSA-2023:3809Third Party Advisory
- https://access.redhat.com/errata/RHSA-2023:7653
- https://access.redhat.com/security/cve/CVE-2023-1584Third Party Advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=2180886Issue TrackingThird Party Advisory
- https://github.com/quarkusio/quarkus/pull/32192Vendor Advisory
- https://github.com/quarkusio/quarkus/pull/33414Vendor Advisory
- https://access.redhat.com/errata/RHSA-2023:3809Third Party Advisory
- https://access.redhat.com/errata/RHSA-2023:7653
- https://access.redhat.com/security/cve/CVE-2023-1584Third Party Advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=2180886Issue TrackingThird Party Advisory
- https://github.com/quarkusio/quarkus/pull/32192Vendor Advisory
- https://github.com/quarkusio/quarkus/pull/33414Vendor Advisory
FAQ
What is CVE-2023-1584?
CVE-2023-1584 is a vulnerability with a CVSS score of 7.5 (HIGH). A flaw was found in Quarkus. Quarkus OIDC can leak both ID and access tokens in the authorization code flow when an insecure HTTP protocol is used, which can allow attackers to access sensitive user d...
How severe is CVE-2023-1584?
CVE-2023-1584 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2023-1584?
Check the references section above for vendor advisories and patch information. Affected products include: Quarkus Quarkus.