CVE-2023-4853

Summary

A flaw was found in Quarkus where HTTP security policies are not sanitizing certain character permutations correctly when accepting requests, resulting in incorrect evaluation of permissions. This issue could allow an attacker to bypass the security policy altogether, resulting in unauthorized endpoint access and possibly a denial of service.

Affected Software

VendorProductVersion RangeStatus
Red HatOpenshift Serverless 1 on RHEL 80:1.9.2-3.el8 < *unaffected
Red HatRed Hat build of Quarkus 2.13.8.SP22.13.8.Final-redhat-00005 < *unaffected
Red HatRed Hat build of Quarkus 2.13.8.SP22.13.8.Final-redhat-00005 < *unaffected
Red HatRed Hat build of Quarkus 2.13.8.SP22.13.8.Final-redhat-00005 < *unaffected
Red HatRed Hat OpenShift Serverless 1.301.9.2-3 < *unaffected
Red HatRed Hat OpenShift Serverless 1.301.30.1-1 < *unaffected
Red HatRed Hat OpenShift Serverless 1.301.30.1-1 < *unaffected
Red HatRed Hat OpenShift Serverless 1.301.9.2-3 < *unaffected
Red HatRed Hat OpenShift Serverless 1.301.30.1-1 < *unaffected
Red HatRed Hat OpenShift Serverless 1.301.30.1-1 < *unaffected
Red HatRed Hat OpenShift Serverless 1.301.30.1-1 < *unaffected
Red HatRed Hat OpenShift Serverless 1.301.30.0-5 < *unaffected
Red HatRed Hat OpenShift Serverless 1.301.30.0-6 < *unaffected
Red HatRed Hat OpenShift Serverless 1.301.30.0-6 < *unaffected
Red HatRHEL-8 based Middleware Containers7.13.4-3 < *unaffected
Red HatRHEL-8 based Middleware Containers7.13.4-2 < *unaffected
Red HatRHEL-8 based Middleware Containers7.13.4-2 < *unaffected
Red HatRHEL-8 based Middleware Containers7.13.4-3 < *unaffected
Red HatRHEL-8 based Middleware Containers7.13.4-3 < *unaffected

Weaknesses

  • CWE-148: Improper Neutralization of Input Leaders

Workarounds

Use a ‘deny’ wildcard for base paths, then authenticate specifics within that:

Examples:

deny: /*
authenticated: /services/*

or

deny: /services/*
roles-allowed: /services/rbac/*

NOTE: Products are only vulnerable if they use (or allow use of) path-based HTTP policy configuration. Products may also be affected–shipping the component in question–without being vulnerable (“affected at reduced impact”).

See https://access.redhat.com/security/vulnerabilities/RHSB-2023-002 for more detailed mitigations.

ADP Enrichment

CVE Program Container

Additional References

References