CVE-2023-1584

A flaw was found in Quarkus. Quarkus OIDC can leak both ID and access tokens in the authorization code flow when an insecure HTTP protocol is used, which can allow attackers to access sensitive user data directly from the ID token or by using the access token to access user data from OIDC provider services. Please note that passwords are not stored in access tokens.
Configurations

Configuration 1 (hide)

cpe:2.3:a:quarkus:quarkus:*:*:*:*:*:*:*:*

History

03 May 2024, 16:15

Type Values Removed Values Added
References
  • () https://access.redhat.com/errata/RHSA-2023:7653 -

10 Oct 2023, 13:30

Type Values Removed Values Added
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 7.5
CPE cpe:2.3:a:quarkus:quarkus:*:*:*:*:*:*:*:*
First Time Quarkus quarkus
Quarkus
References (MISC) https://access.redhat.com/security/cve/CVE-2023-1584 - (MISC) https://access.redhat.com/security/cve/CVE-2023-1584 - Third Party Advisory
References (MISC) https://access.redhat.com/errata/RHSA-2023:3809 - (MISC) https://access.redhat.com/errata/RHSA-2023:3809 - Third Party Advisory
References (MISC) https://github.com/quarkusio/quarkus/pull/33414 - (MISC) https://github.com/quarkusio/quarkus/pull/33414 - Vendor Advisory
References (MISC) https://github.com/quarkusio/quarkus/pull/32192 - (MISC) https://github.com/quarkusio/quarkus/pull/32192 - Vendor Advisory
References (MISC) https://bugzilla.redhat.com/show_bug.cgi?id=2180886 - (MISC) https://bugzilla.redhat.com/show_bug.cgi?id=2180886 - Issue Tracking, Third Party Advisory
CWE NVD-CWE-noinfo

04 Oct 2023, 11:15

Type Values Removed Values Added
New CVE

Information

Published : 2023-10-04 11:15

Updated : 2024-05-03 16:15


NVD link : CVE-2023-1584

Mitre link : CVE-2023-1584

CVE.ORG link : CVE-2023-1584


JSON object : View

Products Affected

quarkus

  • quarkus
CWE
NVD-CWE-noinfo CWE-200

Exposure of Sensitive Information to an Unauthorized Actor