CVE-2023-4853

Public Exploit
Quarkus: http security policy bypass

Description

A flaw was found in Quarkus where HTTP security policies are not sanitizing certain character permutations correctly when accepting requests, resulting in incorrect evaluation of permissions. This issue could allow an attacker to bypass the security policy altogether, resulting in unauthorized endpoint access and possibly a denial of service.

Remediation

Workaround:

  • Use a ‘deny’ wildcard for base paths, then authenticate specifics within that: Examples: ``` deny: /* authenticated: /services/* ``` or ``` deny: /services/* roles-allowed: /services/rbac/* ``` NOTE: Products are only vulnerable if they use (or allow use of) path-based HTTP policy configuration. Products may also be affected–shipping the component in question–without being vulnerable (“affected at reduced impact”). See https://access.redhat.com/security/vulnerabilities/RHSB-2023-002 for more detailed mitigations.

Categories

8.1
CVSS
Severity: High
CVSS 3.1 •
EPSS 0.58%
Vendor Advisory redhat.com Vendor Advisory redhat.com Vendor Advisory redhat.com Vendor Advisory redhat.com Vendor Advisory redhat.com Vendor Advisory redhat.com Vendor Advisory redhat.com Vendor Advisory redhat.com Vendor Advisory redhat.com Vendor Advisory redhat.com Vendor Advisory redhat.com Vendor Advisory redhat.com
Affected: Red Hat Openshift Serverless 1 on RHEL 8
Affected: Red Hat Red Hat build of OptaPlanner 8
Affected: Red Hat Red Hat build of Quarkus 2.13.8.SP2
Affected: Red Hat Red Hat build of Quarkus 2.13.8.SP2
Affected: Red Hat Red Hat build of Quarkus 2.13.8.SP2
Affected: Red Hat Red Hat Camel Extensions for Quarkus 2.13.3-1
Affected: Red Hat Red Hat OpenShift Serverless 1.30
Affected: Red Hat Red Hat OpenShift Serverless 1.30
Affected: Red Hat Red Hat OpenShift Serverless 1.30
Affected: Red Hat Red Hat OpenShift Serverless 1.30
Affected: Red Hat Red Hat OpenShift Serverless 1.30
Affected: Red Hat Red Hat OpenShift Serverless 1.30
Affected: Red Hat Red Hat OpenShift Serverless 1.30
Affected: Red Hat Red Hat OpenShift Serverless 1.30
Affected: Red Hat Red Hat OpenShift Serverless 1.30
Affected: Red Hat Red Hat OpenShift Serverless 1.30
Affected: Red Hat RHEL-8 based Middleware Containers
Affected: Red Hat RHEL-8 based Middleware Containers
Affected: Red Hat RHEL-8 based Middleware Containers
Affected: Red Hat RHEL-8 based Middleware Containers
Affected: Red Hat RHEL-8 based Middleware Containers
Affected: Red Hat RHINT Camel-K-1.10.2
Affected: Red Hat RHINT Service Registry 2.5.4 GA
Affected: Red Hat RHPAM 7.13.4 async
Affected: Red Hat Red Hat Process Automation 7
Published at:
Updated at:

References

Link Tags
https://access.redhat.com/errata/RHSA-2023:5170 vendor advisory
https://access.redhat.com/errata/RHSA-2023:5310 vendor advisory
https://access.redhat.com/errata/RHSA-2023:5337 vendor advisory
https://access.redhat.com/errata/RHSA-2023:5446 vendor advisory
https://access.redhat.com/errata/RHSA-2023:5479 vendor advisory
https://access.redhat.com/errata/RHSA-2023:5480 vendor advisory
https://access.redhat.com/errata/RHSA-2023:6107 vendor advisory
https://access.redhat.com/errata/RHSA-2023:6112 vendor advisory
https://access.redhat.com/errata/RHSA-2023:7653 vendor advisory
https://access.redhat.com/security/cve/CVE-2023-4853 vendor advisory mitigation vdb entry
https://access.redhat.com/security/vulnerabilities/RHSB-2023-002 exploit vendor advisory mitigation technical description
https://bugzilla.redhat.com/show_bug.cgi?id=2238034 vendor advisory issue tracking

Frequently Asked Questions

What is the severity of CVE-2023-4853?
CVE-2023-4853 has been scored as a high severity vulnerability.
How to fix CVE-2023-4853?
As a workaround for remediating CVE-2023-4853: Use a ‘deny’ wildcard for base paths, then authenticate specifics within that: Examples: ``` deny: /* authenticated: /services/* ``` or ``` deny: /services/* roles-allowed: /services/rbac/* ``` NOTE: Products are only vulnerable if they use (or allow use of) path-based HTTP policy configuration. Products may also be affected–shipping the component in question–without being vulnerable (“affected at reduced impact”). See https://access.redhat.com/security/vulnerabilities/RHSB-2023-002 for more detailed mitigations.
Is CVE-2023-4853 being actively exploited in the wild?
It is possible that CVE-2023-4853 is being exploited or will be exploited in a near future based on public information. According to its EPSS score, there is a ~1% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2023-4853?
CVE-2023-4853 affects Red Hat Openshift Serverless 1 on RHEL 8, Red Hat Red Hat build of OptaPlanner 8, Red Hat Red Hat build of Quarkus 2.13.8.SP2, Red Hat Red Hat build of Quarkus 2.13.8.SP2, Red Hat Red Hat build of Quarkus 2.13.8.SP2, Red Hat Red Hat Camel Extensions for Quarkus 2.13.3-1, Red Hat Red Hat OpenShift Serverless 1.30, Red Hat Red Hat OpenShift Serverless 1.30, Red Hat Red Hat OpenShift Serverless 1.30, Red Hat Red Hat OpenShift Serverless 1.30, Red Hat Red Hat OpenShift Serverless 1.30, Red Hat Red Hat OpenShift Serverless 1.30, Red Hat Red Hat OpenShift Serverless 1.30, Red Hat Red Hat OpenShift Serverless 1.30, Red Hat Red Hat OpenShift Serverless 1.30, Red Hat Red Hat OpenShift Serverless 1.30, Red Hat RHEL-8 based Middleware Containers, Red Hat RHEL-8 based Middleware Containers, Red Hat RHEL-8 based Middleware Containers, Red Hat RHEL-8 based Middleware Containers, Red Hat RHEL-8 based Middleware Containers, Red Hat RHINT Camel-K-1.10.2, Red Hat RHINT Service Registry 2.5.4 GA, Red Hat RHPAM 7.13.4 async, Red Hat Red Hat Process Automation 7.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.