CVE-2023-4853 — HIGH (8.1) — White Hats Nepal

Q: How severe is CVE-2023-4853?

CVE-2023-4853 has been rated HIGH with a CVSS base score of 8.1/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2023-4853?

Check the references section above for vendor advisories and patch information. Affected products include: Quarkus Quarkus, Redhat Build Of Optaplanner, Redhat Build Of Quarkus, Redhat Decision Manager, Redhat Integration Camel K.

Vulnerability Description

A flaw was found in Quarkus where HTTP security policies are not sanitizing certain character permutations correctly when accepting requests, resulting in incorrect evaluation of permissions. This issue could allow an attacker to bypass the security policy altogether, resulting in unauthorized endpoint access and possibly a denial of service.

CVSS Score

8.1

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Quarkus	Quarkus	< 2.16.11
Redhat	Build Of Optaplanner	8.0
Redhat	Build Of Quarkus	>= 2.13.0, < 2.13.8
Redhat	Decision Manager	7.0
Redhat	Integration Camel K	< 1.10.2
Redhat	Integration Camel Quarkus	-
Redhat	Integration Service Registry	-
Redhat	Jboss Middleware	1
Redhat	Jboss Middleware Text-Only Advisories	1.0
Redhat	Openshift Serverless	-
Redhat	Process Automation Manager	7.0
Redhat	Openshift Container Platform	4.10
Redhat	Enterprise Linux	8.0

Related Weaknesses (CWE)

CWE-863 CWE-148

References

https://access.redhat.com/errata/RHSA-2023:5170Vendor Advisory
https://access.redhat.com/errata/RHSA-2023:5310Vendor Advisory
https://access.redhat.com/errata/RHSA-2023:5337Vendor Advisory
https://access.redhat.com/errata/RHSA-2023:5446Vendor Advisory
https://access.redhat.com/errata/RHSA-2023:5479Vendor Advisory
https://access.redhat.com/errata/RHSA-2023:5480Vendor Advisory
https://access.redhat.com/errata/RHSA-2023:6107Vendor Advisory
https://access.redhat.com/errata/RHSA-2023:6112Vendor Advisory
https://access.redhat.com/errata/RHSA-2023:7653Vendor Advisory
https://access.redhat.com/security/cve/CVE-2023-4853MitigationVendor Advisory
https://access.redhat.com/security/vulnerabilities/RHSB-2023-002ExploitMitigationTechnical Description
https://bugzilla.redhat.com/show_bug.cgi?id=2238034Issue TrackingVendor Advisory
https://access.redhat.com/errata/RHSA-2023:5170Vendor Advisory
https://access.redhat.com/errata/RHSA-2023:5310Vendor Advisory
https://access.redhat.com/errata/RHSA-2023:5337Vendor Advisory

FAQ

What is CVE-2023-4853?

CVE-2023-4853 is a vulnerability with a CVSS score of 8.1 (HIGH). A flaw was found in Quarkus where HTTP security policies are not sanitizing certain character permutations correctly when accepting requests, resulting in incorrect evaluation of permissions. This iss...

How severe is CVE-2023-4853?

CVE-2023-4853 has been rated HIGH with a CVSS base score of 8.1/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2023-4853?

Check the references section above for vendor advisories and patch information. Affected products include: Quarkus Quarkus, Redhat Build Of Optaplanner, Redhat Build Of Quarkus, Redhat Decision Manager, Redhat Integration Camel K.