← Voltar para CVEs
CVE-2023-1584
HIGH7.5
Descricao
A flaw was found in Quarkus. Quarkus OIDC can leak both ID and access tokens in the authorization code flow when an insecure HTTP protocol is used, which can allow attackers to access sensitive user data directly from the ID token or by using the access token to access user data from OIDC provider services. Please note that passwords are not stored in access tokens.
Detalhes CVE
Pontuacao CVSS v3.17.5
SeveridadeHIGH
Vetor CVSSCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Vetor de ataqueNETWORK
ComplexidadeLOW
Privilegios necessariosNONE
Interacao do usuarioNONE
Publicado10/4/2023
Ultima modificacao11/21/2024
Fontenvd
Avistamentos honeypot0
Produtos afetados
quarkus:quarkus
Fraquezas (CWE)
CWE-200
Referencias
https://access.redhat.com/errata/RHSA-2023:3809(secalert@redhat.com)
https://access.redhat.com/errata/RHSA-2023:7653(secalert@redhat.com)
https://access.redhat.com/security/cve/CVE-2023-1584(secalert@redhat.com)
https://bugzilla.redhat.com/show_bug.cgi?id=2180886(secalert@redhat.com)
https://github.com/quarkusio/quarkus/pull/32192(secalert@redhat.com)
https://github.com/quarkusio/quarkus/pull/33414(secalert@redhat.com)
https://access.redhat.com/errata/RHSA-2023:3809(af854a3a-2127-422b-91ae-364da2661108)
https://access.redhat.com/errata/RHSA-2023:7653(af854a3a-2127-422b-91ae-364da2661108)
https://access.redhat.com/security/cve/CVE-2023-1584(af854a3a-2127-422b-91ae-364da2661108)
https://bugzilla.redhat.com/show_bug.cgi?id=2180886(af854a3a-2127-422b-91ae-364da2661108)
https://github.com/quarkusio/quarkus/pull/32192(af854a3a-2127-422b-91ae-364da2661108)
https://github.com/quarkusio/quarkus/pull/33414(af854a3a-2127-422b-91ae-364da2661108)
Correlacoes IOC
Sem correlacoes registradas
This product uses data from the NVD API but is not endorsed or certified by the NVD.