Bug 2180886 (CVE-2023-1584)

Summary: CVE-2023-1584 quarkus-oidc: ID and access tokens leak via the authorization code flow
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: aileenc, anstephe, avibelli, bgeorges, chazlett, clement.escoffier, dandread, dkreling, eric.wittmann, fjansen, gsmet, hamadhan, janstey, jmartisk, jpavlik, lthon, max.andersen, pantinor, peholase, pgallagh, pjindal, probinso, rruss, rsvoboda, sbiarozk, sdouglas, security-response-team, tqvarnst
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: quarkus-oidc 3.1.0.CR1 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Quarkus. Quarkus OIDC can leak both ID and access tokens in the authorization code flow when an insecure HTTP protocol is used, which can allow attackers to access sensitive user data directly from the ID token or by using the access token to access user data from OIDC provider services. Please note that passwords are not stored in access tokens.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2023-06-29 16:16:14 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2180888    

Description Pedro Sampaio 2023-03-22 14:20:28 UTC 
Quarkus OIDC can leak both ID and access tokens in the authorization code
flow when insecure HTTP protocol is used which can allow attackers to
access sensitive user data, directly from the ID token or by using the
access token to access user data from OIDC provider services.
Comment 4 errata-xmlrpc 2023-06-29 11:09:50 UTC 
This issue has been addressed in the following products:

  Red Hat build of Quarkus 2.13.8

Via RHSA-2023:3809 https://access.redhat.com/errata/RHSA-2023:3809
Comment 5 Product Security DevOps Team 2023-06-29 16:16:12 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2023-1584
Comment 7 errata-xmlrpc 2023-12-05 14:36:40 UTC 
This issue has been addressed in the following products:

  RHINT Service Registry 2.5.4 GA

Via RHSA-2023:7653 https://access.redhat.com/errata/RHSA-2023:7653