Bug 2180886 (CVE-2023-1584) - CVE-2023-1584 quarkus-oidc: ID and access tokens leak via the authorization code flow
Summary: CVE-2023-1584 quarkus-oidc: ID and access tokens leak via the authorization c...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2023-1584
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 2180888
TreeView+ depends on / blocked
 
Reported: 2023-03-22 14:20 UTC by Pedro Sampaio
Modified: 2023-12-05 14:36 UTC (History)
28 users (show)

Fixed In Version: quarkus-oidc 3.1.0.CR1
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Quarkus. Quarkus OIDC can leak both ID and access tokens in the authorization code flow when an insecure HTTP protocol is used, which can allow attackers to access sensitive user data directly from the ID token or by using the access token to access user data from OIDC provider services. Please note that passwords are not stored in access tokens.
Clone Of:
Environment:
Last Closed: 2023-06-29 16:16:14 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2023:3809 0 None None None 2023-06-29 11:09:52 UTC
Red Hat Product Errata RHSA-2023:7653 0 None None None 2023-12-05 14:36:43 UTC

Description Pedro Sampaio 2023-03-22 14:20:28 UTC
Quarkus OIDC can leak both ID and access tokens in the authorization code
flow when insecure HTTP protocol is used which can allow attackers to
access sensitive user data, directly from the ID token or by using the
access token to access user data from OIDC provider services.

Comment 4 errata-xmlrpc 2023-06-29 11:09:50 UTC
This issue has been addressed in the following products:

  Red Hat build of Quarkus 2.13.8

Via RHSA-2023:3809 https://access.redhat.com/errata/RHSA-2023:3809

Comment 5 Product Security DevOps Team 2023-06-29 16:16:12 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2023-1584

Comment 7 errata-xmlrpc 2023-12-05 14:36:40 UTC
This issue has been addressed in the following products:

  RHINT Service Registry 2.5.4 GA

Via RHSA-2023:7653 https://access.redhat.com/errata/RHSA-2023:7653


Note You need to log in before you can comment on or make changes to this bug.