Bug 2253113 (CVE-2023-6393) - CVE-2023-6393 quarkus: Potential invalid reuse of context when @CacheResult on a Uni is used
Summary: CVE-2023-6393 quarkus: Potential invalid reuse of context when @CacheResult o...
Keywords:
Status: NEW
Alias: CVE-2023-6393
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 2250887
TreeView+ depends on / blocked
 
Reported: 2023-12-06 05:20 UTC by Patrick Del Bello
Modified: 2024-05-03 18:49 UTC (History)
20 users (show)

Fixed In Version: quarkus 3.2.9.GA, quarkus 2.13.9.CR2
Doc Type: ---
Doc Text:
A flaw was found in the Quarkus Cache Runtime. When request processing utilizes a Uni cached using @CacheResult and the cached Uni reuses the initial "completion" context, the processing switches to the cached Uni instead of the request context. This is a problem if the cached Uni context contains sensitive information, and could allow a malicious user to benefit from a POST request returning the response that is meant for another user, gaining access to sensitive data.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2023:7700 0 None None None 2023-12-07 14:26:55 UTC

Description Patrick Del Bello 2023-12-06 05:20:15 UTC 
A flaw was found under Quarkus Cache Runtime. When a request processing utilizes a Uni cached using @CacheResult, and if the cached Uni reuses the initial "completion" context, the processing switches to the context of the cached Uni instead of the request context. It can be a problem if the cached Uni context contains sensitive information. A malicious user could benefit from this as a POST request could possibly return the response that is meant for another user, having access to sensitive data.

https://github.com/quarkusio/quarkus/issues/37078
Comment 2 errata-xmlrpc 2023-12-07 14:26:54 UTC 
This issue has been addressed in the following products:

  Red Hat build of Quarkus 2.13.9

Via RHSA-2023:7700 https://access.redhat.com/errata/RHSA-2023:7700
Note You need to log in before you can comment on or make changes to this bug.