2158081 – (CVE-2023-0044) CVE-2023-0044 quarkus-vertx-http: a cross-site attack may be initiated which might lead to the Information Disclosure

Bug 2158081 (CVE-2023-0044) - CVE-2023-0044 quarkus-vertx-http: a cross-site attack may be initiated which might lead to the Information Disclosure

Summary: CVE-2023-0044 quarkus-vertx-http: a cross-site attack may be initiated which ...

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2023-0044
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	2158082
TreeView+	depends on / blocked

Reported:	2023-01-04 07:31 UTC by Sandipan Roy
Modified:	2024-04-17 10:29 UTC (History)
CC List:	64 users (show)
Fixed In Version:	quarkus-vertx-http 2.13.7
Doc Type:	If docs needed, set a value
Doc Text:	A flaw was found in Quarkus. If the Quarkus Form Authentication session cookie Path attribute is set to `/`, then a cross-site attack may be initiated, which might lead to information disclosure.
Clone Of:
Environment:
Last Closed:	2023-03-08 19:58:21 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2023:0758	0	None	None	None	2023-02-14 12:11:55 UTC
Red Hat Product Errata	RHSA-2023:1006	0	None	None	None	2023-03-08 14:55:23 UTC

Description Sandipan Roy 2023-01-04 07:31:26 UTC

If the Quarkus Form Authentication session cookie Path attribute is set to `/` then a cross-site attack may be initiated which might lead to the Information Disclosure. This attack can be prevented with the Quarkus CSRF Prevention feature.

Comment 2 errata-xmlrpc 2023-02-14 12:11:52 UTC

This issue has been addressed in the following products:

  Red Hat build of Quarkus

Via RHSA-2023:0758 https://access.redhat.com/errata/RHSA-2023:0758

Comment 3 errata-xmlrpc 2023-03-08 14:55:20 UTC

This issue has been addressed in the following products:

  Red Hat build of Quarkus 2.7.7

Via RHSA-2023:1006 https://access.redhat.com/errata/RHSA-2023:1006

Comment 4 Product Security DevOps Team 2023-03-08 19:58:18 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2023-0044

Note You need to log in before you can comment on or make changes to this bug.

aileenc
alazarot
anstephe
asoldano
avibelli
balejosg
bbaranow
bgeorges
bmaxwell
brian.stansberry
cdewolf
chazlett
clement.escoffier
dandread
darran.lofthouse
dkreling
dosoudil
emingora
eric.wittmann
fjuma
fmongiar
gjospin
gmalinko
gsmet
hamadhan
ibek
ivassile
iweiss
janstey
jmartisk
jnethert
jpavlik
jpechane
jrokos
jross
jstastny
jwon
kverlaen
lgao
lthon
max.andersen
mnovotny
mokumar
mosmerov
msochure
msvehla
nwallace
pantinor
pdelbell
peholase
pgallagh
pjindal
pmackay
probinso
rguimara
rrajasek
rruss
rstancel
rsvoboda
sbiarozk
sdouglas
smaestri
tom.jenkinson
tqvarnst