CVE-2023-2974 — quarkus-core vulnerable to client driven TLS cipher downgrading

Description

A vulnerability was found in quarkus-core. This vulnerability occurs because the TLS protocol configured with quarkus.http.ssl.protocols is not enforced, and the client can force the selection of the weaker supported TLS protocol.

How to fix CVE-2023-2974

To remediate CVE-2023-2974, upgrade the affected package to a fixed version below.

—upgrade to 2.16.8.Final or later

Is CVE-2023-2974 being exploited?

Low — EPSS is 0.5%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 2.16.8.Final

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM6.5	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N

References (7)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2023-2974
PATCHgithub.com/quarkusio/quarkus
WEBaccess.redhat.com/errata/RHSA-2023:3809
WEBaccess.redhat.com/security/cve/CVE-2023-2974
WEBbugzilla.redhat.com