CVE-2023-6393

Summary

A flaw was found in the Quarkus Cache Runtime. When request processing utilizes a Uni cached using @CacheResult and the cached Uni reuses the initial "completion" context, the processing switches to the cached Uni instead of the request context. This is a problem if the cached Uni context contains sensitive information, and could allow a malicious user to benefit from a POST request returning the response that is meant for another user, gaining access to sensitive data.

Affected Software

VendorProductVersion RangeStatus
Red HatRed Hat build of Quarkus 2.13.9.Final2.13.9.Final-redhat-00002 < *unaffected

Weaknesses

  • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor

Workarounds

No mitigation is currently available for this flaw.

ADP Enrichment

CVE Program Container

Additional References

References