CVE-2023-4853 — Quarkus HTTP vulnerable to incorrect evaluation of permissions

Description

A flaw was found in Quarkus where HTTP security policies are not sanitizing certain character permutations correctly when accepting requests, resulting in incorrect evaluation of permissions. This issue could allow an attacker to bypass the security policy altogether, resulting in unauthorized endpoint access and possibly a denial of service.

How to fix CVE-2023-4853

To remediate CVE-2023-4853, upgrade the affected package to a fixed version below.

—upgrade to 2.16.11.Final or later
—upgrade to 2.16.11.Final or later
—upgrade to 2.16.11.Final or later
—upgrade to 2.16.11.Final or later

Is CVE-2023-4853 being exploited?

Low — EPSS is 0.5%, meaning exploitation activity has not been observed at scale.

Affected packages (4)

from 0, < 2.16.11.Final
from 0, < 2.16.11.Final
from 0, < 2.16.11.Final
from 0, < 2.16.11.Final

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH8.1	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References (17)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2023-4853
PATCHgithub.com/quarkusio/quarkus
WEBaccess.redhat.com/articles/11258
WEBaccess.redhat.com/errata/RHSA-2023:5170
WEBaccess.redhat.com/errata/RHSA-2023:5310