A flaw was found in Quarkus. Quarkus OIDC can leak both ID and access tokens in the authorization code flow when an insecure HTTP protocol is used, which can allow attackers to access sensitive user data directly from the ID token or by using the access token to access user data from OIDC provider services. Please note that passwords are not stored in access tokens.
References
Link | Resource |
---|---|
https://access.redhat.com/errata/RHSA-2023:3809 | Third Party Advisory |
https://access.redhat.com/errata/RHSA-2023:7653 | |
https://access.redhat.com/security/cve/CVE-2023-1584 | Third Party Advisory |
https://bugzilla.redhat.com/show_bug.cgi?id=2180886 | Issue Tracking Third Party Advisory |
https://github.com/quarkusio/quarkus/pull/32192 | Vendor Advisory |
https://github.com/quarkusio/quarkus/pull/33414 | Vendor Advisory |
Configurations
History
03 May 2024, 16:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
10 Oct 2023, 13:30
Type | Values Removed | Values Added |
---|---|---|
CWE | NVD-CWE-noinfo | |
First Time |
Quarkus quarkus
Quarkus |
|
References | (MISC) https://access.redhat.com/security/cve/CVE-2023-1584 - Third Party Advisory | |
References | (MISC) https://access.redhat.com/errata/RHSA-2023:3809 - Third Party Advisory | |
References | (MISC) https://github.com/quarkusio/quarkus/pull/33414 - Vendor Advisory | |
References | (MISC) https://github.com/quarkusio/quarkus/pull/32192 - Vendor Advisory | |
References | (MISC) https://bugzilla.redhat.com/show_bug.cgi?id=2180886 - Issue Tracking, Third Party Advisory | |
CPE | cpe:2.3:a:quarkus:quarkus:*:*:*:*:*:*:*:* | |
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 7.5 |
04 Oct 2023, 11:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2023-10-04 11:15
Updated : 2024-05-03 16:15
NVD link : CVE-2023-1584
Mitre link : CVE-2023-1584
CVE.ORG link : CVE-2023-1584
JSON object : View
Products Affected
quarkus
- quarkus
CWE