CVE-2023-4853 (GCVE-0-2023-4853)

Vulnerability from cvelistv5 – Published: 2023-09-20 09:47 – Updated: 2025-11-07 10:17
VLAI?
Title
Quarkus: http security policy bypass
Summary
A flaw was found in Quarkus where HTTP security policies are not sanitizing certain character permutations correctly when accepting requests, resulting in incorrect evaluation of permissions. This issue could allow an attacker to bypass the security policy altogether, resulting in unauthorized endpoint access and possibly a denial of service.
Severity ?
8.1 (High)
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE
  • CWE-148 - Improper Neutralization of Input Leaders
Assigner
References
https://access.redhat.com/errata/RHSA-2023:5170 vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2023:5310 vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2023:5337 vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2023:5446 vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2023:5479 vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2023:5480 vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2023:6107 vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2023:6112 vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2023:7653 vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/security/cve/CVE-2023-4853 vdb-entryx_refsource_REDHAT
https://access.redhat.com/security/vulnerabilitie… technical-descriptionx_refsource_REDHAT
https://bugzilla.redhat.com/show_bug.cgi?id=2238034 issue-trackingx_refsource_REDHAT
Impacted products
Vendor Product Version
Red Hat Openshift Serverless 1 on RHEL 8 Unaffected: 0:1.9.2-3.el8 , < * (rpm)
    cpe:/a:redhat:serverless:1.0::el8
 Create a notification for this product.
    Red Hat Red Hat build of OptaPlanner 8     cpe:/a:redhat:optaplanner:::el6
 Create a notification for this product.
    Red Hat Red Hat build of Quarkus 2.13.8.SP2 Unaffected: 2.13.8.Final-redhat-00005 , < * (rpm)
    cpe:/a:redhat:quarkus:2.13
 Create a notification for this product.
    Red Hat Red Hat build of Quarkus 2.13.8.SP2 Unaffected: 2.13.8.Final-redhat-00005 , < * (rpm)
    cpe:/a:redhat:quarkus:2.13
 Create a notification for this product.
    Red Hat Red Hat build of Quarkus 2.13.8.SP2 Unaffected: 2.13.8.Final-redhat-00005 , < * (rpm)
    cpe:/a:redhat:quarkus:2.13
 Create a notification for this product.
    Red Hat Red Hat Camel Extensions for Quarkus 2.13.3-1     cpe:/a:redhat:camel_quarkus:2.13
 Create a notification for this product.
    Red Hat Red Hat OpenShift Serverless 1.30 Unaffected: 1.9.2-3 , < * (rpm)
    cpe:/a:redhat:openshift_serverless:1.30::el8
 Create a notification for this product.
    Red Hat Red Hat OpenShift Serverless 1.30 Unaffected: 1.30.1-1 , < * (rpm)
    cpe:/a:redhat:openshift_serverless:1.30::el8
 Create a notification for this product.
    Red Hat Red Hat OpenShift Serverless 1.30 Unaffected: 1.30.1-1 , < * (rpm)
    cpe:/a:redhat:openshift_serverless:1.30::el8
 Create a notification for this product.
    Red Hat Red Hat OpenShift Serverless 1.30 Unaffected: 1.9.2-3 , < * (rpm)
    cpe:/a:redhat:openshift_serverless:1.30::el8
 Create a notification for this product.
    Red Hat Red Hat OpenShift Serverless 1.30 Unaffected: 1.30.1-1 , < * (rpm)
    cpe:/a:redhat:openshift_serverless:1.30::el8
 Create a notification for this product.
    Red Hat Red Hat OpenShift Serverless 1.30 Unaffected: 1.30.1-1 , < * (rpm)
    cpe:/a:redhat:openshift_serverless:1.30::el8
 Create a notification for this product.
    Red Hat Red Hat OpenShift Serverless 1.30 Unaffected: 1.30.1-1 , < * (rpm)
    cpe:/a:redhat:openshift_serverless:1.30::el8
 Create a notification for this product.
    Red Hat Red Hat OpenShift Serverless 1.30 Unaffected: 1.30.0-5 , < * (rpm)
    cpe:/a:redhat:openshift_serverless:1.30::el8
 Create a notification for this product.
    Red Hat Red Hat OpenShift Serverless 1.30 Unaffected: 1.30.0-6 , < * (rpm)
    cpe:/a:redhat:openshift_serverless:1.30::el8
 Create a notification for this product.
    Red Hat Red Hat OpenShift Serverless 1.30 Unaffected: 1.30.0-6 , < * (rpm)
    cpe:/a:redhat:openshift_serverless:1.30::el8
 Create a notification for this product.
    Red Hat RHEL-8 based Middleware Containers Unaffected: 7.13.4-3 , < * (rpm)
    cpe:/a:redhat:rhosemc:1.0::el8
 Create a notification for this product.
    Red Hat RHEL-8 based Middleware Containers Unaffected: 7.13.4-2 , < * (rpm)
    cpe:/a:redhat:rhosemc:1.0::el8
 Create a notification for this product.
    Red Hat RHEL-8 based Middleware Containers Unaffected: 7.13.4-2 , < * (rpm)
    cpe:/a:redhat:rhosemc:1.0::el8
 Create a notification for this product.
    Red Hat RHEL-8 based Middleware Containers Unaffected: 7.13.4-3 , < * (rpm)
    cpe:/a:redhat:rhosemc:1.0::el8
 Create a notification for this product.
    Red Hat RHEL-8 based Middleware Containers Unaffected: 7.13.4-3 , < * (rpm)
    cpe:/a:redhat:rhosemc:1.0::el8
 Create a notification for this product.
    Red Hat RHINT Camel-K-1.10.2     cpe:/a:redhat:camel_k:1
 Create a notification for this product.
    Red Hat RHINT Service Registry 2.5.4 GA     cpe:/a:redhat:service_registry:2.5
 Create a notification for this product.
    Red Hat RHPAM 7.13.4 async     cpe:/a:redhat:jboss_enterprise_bpms_platform:7.13
 Create a notification for this product.
    Red Hat Red Hat Process Automation 7     cpe:/a:redhat:jboss_enterprise_bpms_platform:7
 Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T07:38:00.803Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "RHSA-2023:5170",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2023:5170"
          },
          {
            "name": "RHSA-2023:5310",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2023:5310"
          },
          {
            "name": "RHSA-2023:5337",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2023:5337"
          },
          {
            "name": "RHSA-2023:5446",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2023:5446"
          },
          {
            "name": "RHSA-2023:5479",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2023:5479"
          },
          {
            "name": "RHSA-2023:5480",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2023:5480"
          },
          {
            "name": "RHSA-2023:6107",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2023:6107"
          },
          {
            "name": "RHSA-2023:6112",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2023:6112"
          },
          {
            "name": "RHSA-2023:7653",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2023:7653"
          },
          {
            "tags": [
              "vdb-entry",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/security/cve/CVE-2023-4853"
          },
          {
            "name": "RHSB-2023-002",
            "tags": [
              "technical-description",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2023-002"
          },
          {
            "name": "RHBZ#2238034",
            "tags": [
              "issue-tracking",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2238034"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:serverless:1.0::el8"
          ],
          "defaultStatus": "affected",
          "packageName": "openshift-serverless-clients",
          "product": "Openshift Serverless 1 on RHEL 8",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:1.9.2-3.el8",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:optaplanner:::el6"
          ],
          "defaultStatus": "unaffected",
          "packageName": "quarkus-vertx-http",
          "product": "Red Hat build of OptaPlanner 8",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:quarkus:2.13"
          ],
          "defaultStatus": "affected",
          "packageName": "io.quarkus/quarkus-keycloak-authorization",
          "product": "Red Hat build of Quarkus 2.13.8.SP2",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "2.13.8.Final-redhat-00005",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:quarkus:2.13"
          ],
          "defaultStatus": "affected",
          "packageName": "io.quarkus/quarkus-undertow",
          "product": "Red Hat build of Quarkus 2.13.8.SP2",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "2.13.8.Final-redhat-00005",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:quarkus:2.13"
          ],
          "defaultStatus": "affected",
          "packageName": "io.quarkus/quarkus-vertx-http",
          "product": "Red Hat build of Quarkus 2.13.8.SP2",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "2.13.8.Final-redhat-00005",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html",
          "cpes": [
            "cpe:/a:redhat:camel_quarkus:2.13"
          ],
          "defaultStatus": "unaffected",
          "packageName": "quarkus-vertx-http",
          "product": "Red Hat Camel Extensions for Quarkus 2.13.3-1",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:openshift_serverless:1.30::el8"
          ],
          "defaultStatus": "affected",
          "packageName": "openshift-serverless-1/client-kn-rhel8",
          "product": "Red Hat OpenShift Serverless 1.30",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "1.9.2-3",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:openshift_serverless:1.30::el8"
          ],
          "defaultStatus": "affected",
          "packageName": "openshift-serverless-1/ingress-rhel8-operator",
          "product": "Red Hat OpenShift Serverless 1.30",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "1.30.1-1",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:openshift_serverless:1.30::el8"
          ],
          "defaultStatus": "affected",
          "packageName": "openshift-serverless-1/knative-rhel8-operator",
          "product": "Red Hat OpenShift Serverless 1.30",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "1.30.1-1",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:openshift_serverless:1.30::el8"
          ],
          "defaultStatus": "affected",
          "packageName": "openshift-serverless-1/kn-cli-artifacts-rhel8",
          "product": "Red Hat OpenShift Serverless 1.30",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "1.9.2-3",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:openshift_serverless:1.30::el8"
          ],
          "defaultStatus": "affected",
          "packageName": "openshift-serverless-1/serverless-operator-bundle",
          "product": "Red Hat OpenShift Serverless 1.30",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "1.30.1-1",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:openshift_serverless:1.30::el8"
          ],
          "defaultStatus": "affected",
          "packageName": "openshift-serverless-1/serverless-rhel8-operator",
          "product": "Red Hat OpenShift Serverless 1.30",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "1.30.1-1",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:openshift_serverless:1.30::el8"
          ],
          "defaultStatus": "affected",
          "packageName": "openshift-serverless-1/svls-must-gather-rhel8",
          "product": "Red Hat OpenShift Serverless 1.30",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "1.30.1-1",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:openshift_serverless:1.30::el8"
          ],
          "defaultStatus": "affected",
          "packageName": "openshift-serverless-1-tech-preview/logic-data-index-ephemeral-rhel8",
          "product": "Red Hat OpenShift Serverless 1.30",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "1.30.0-5",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:openshift_serverless:1.30::el8"
          ],
          "defaultStatus": "affected",
          "packageName": "openshift-serverless-1-tech-preview/logic-swf-builder-rhel8",
          "product": "Red Hat OpenShift Serverless 1.30",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "1.30.0-6",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:openshift_serverless:1.30::el8"
          ],
          "defaultStatus": "affected",
          "packageName": "openshift-serverless-1-tech-preview/logic-swf-devmode-rhel8",
          "product": "Red Hat OpenShift Serverless 1.30",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "1.30.0-6",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:rhosemc:1.0::el8"
          ],
          "defaultStatus": "affected",
          "packageName": "rhpam-7/rhpam-kogito-builder-rhel8",
          "product": "RHEL-8 based Middleware Containers",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "7.13.4-3",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:rhosemc:1.0::el8"
          ],
          "defaultStatus": "affected",
          "packageName": "rhpam-7/rhpam-kogito-rhel8-operator",
          "product": "RHEL-8 based Middleware Containers",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "7.13.4-2",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:rhosemc:1.0::el8"
          ],
          "defaultStatus": "affected",
          "packageName": "rhpam-7/rhpam-kogito-rhel8-operator-bundle",
          "product": "RHEL-8 based Middleware Containers",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "7.13.4-2",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:rhosemc:1.0::el8"
          ],
          "defaultStatus": "affected",
          "packageName": "rhpam-7/rhpam-kogito-runtime-jvm-rhel8",
          "product": "RHEL-8 based Middleware Containers",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "7.13.4-3",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:rhosemc:1.0::el8"
          ],
          "defaultStatus": "affected",
          "packageName": "rhpam-7-tech-preview/rhpam-kogito-runtime-native-rhel8",
          "product": "RHEL-8 based Middleware Containers",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "7.13.4-3",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html",
          "cpes": [
            "cpe:/a:redhat:camel_k:1"
          ],
          "defaultStatus": "unaffected",
          "packageName": "quarkus-vertx-http",
          "product": "RHINT Camel-K-1.10.2",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:service_registry:2.5"
          ],
          "defaultStatus": "unaffected",
          "packageName": "quarkus-vertx-http",
          "product": "RHINT Service Registry 2.5.4 GA",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:jboss_enterprise_bpms_platform:7.13"
          ],
          "defaultStatus": "unaffected",
          "product": "RHPAM 7.13.4 async",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:jboss_enterprise_bpms_platform:7"
          ],
          "defaultStatus": "affected",
          "packageName": "quarkus-vertx-http",
          "product": "Red Hat Process Automation 7",
          "vendor": "Red Hat"
        }
      ],
      "datePublic": "2023-09-08T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "A flaw was found in Quarkus where HTTP security policies are not sanitizing certain character permutations correctly when accepting requests, resulting in incorrect evaluation of permissions. This issue could allow an attacker to bypass the security policy altogether, resulting in unauthorized endpoint access and possibly a denial of service."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "namespace": "https://access.redhat.com/security/updates/classification/",
              "value": "Important"
            },
            "type": "Red Hat severity rating"
          }
        },
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS"
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-148",
              "description": "Improper Neutralization of Input Leaders",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-11-07T10:17:29.266Z",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "name": "RHSA-2023:5170",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2023:5170"
        },
        {
          "name": "RHSA-2023:5310",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2023:5310"
        },
        {
          "name": "RHSA-2023:5337",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2023:5337"
        },
        {
          "name": "RHSA-2023:5446",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2023:5446"
        },
        {
          "name": "RHSA-2023:5479",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2023:5479"
        },
        {
          "name": "RHSA-2023:5480",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2023:5480"
        },
        {
          "name": "RHSA-2023:6107",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2023:6107"
        },
        {
          "name": "RHSA-2023:6112",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2023:6112"
        },
        {
          "name": "RHSA-2023:7653",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2023:7653"
        },
        {
          "tags": [
            "vdb-entry",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/security/cve/CVE-2023-4853"
        },
        {
          "name": "RHSB-2023-002",
          "tags": [
            "technical-description",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2023-002"
        },
        {
          "name": "RHBZ#2238034",
          "tags": [
            "issue-tracking",
            "x_refsource_REDHAT"
          ],
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2238034"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2023-09-08T00:00:00+00:00",
          "value": "Reported to Red Hat."
        },
        {
          "lang": "en",
          "time": "2023-09-08T00:00:00+00:00",
          "value": "Made public."
        }
      ],
      "title": "Quarkus: http security policy bypass",
      "workarounds": [
        {
          "lang": "en",
          "value": "Use a \u2018deny\u2019 wildcard for base paths, then authenticate specifics within that:\n\nExamples:\n```\ndeny: /*\nauthenticated: /services/*\n```\nor\n```\ndeny: /services/*\nroles-allowed: /services/rbac/*\n```\n\nNOTE: Products are only vulnerable if they use (or allow use of) path-based HTTP policy configuration. Products may also be affected\u2013shipping the component in question\u2013without being vulnerable (\u201caffected at reduced impact\u201d).\n\nSee https://access.redhat.com/security/vulnerabilities/RHSB-2023-002 for more detailed mitigations."
        }
      ],
      "x_redhatCweChain": "CWE-148: Improper Neutralization of Input Leaders"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2023-4853",
    "datePublished": "2023-09-20T09:47:32.150Z",
    "dateReserved": "2023-09-08T16:10:38.379Z",
    "dateUpdated": "2025-11-07T10:17:29.266Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.