Skip to main content

Build Of Quarkus CVE-2023-6393

MEDIUM
Information Exposure (CWE-200)
2023-12-06 secalert@redhat.com
5.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

1
CVE Published
Dec 06, 2023 - 17:15 nvd
MEDIUM 5.3

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 9 maven packages depend on io.quarkus:quarkus-cache (4 direct, 5 indirect)

Ecosystem-wide dependent count for version 3.3.0.CR1.

DescriptionNVD

A flaw was found in the Quarkus Cache Runtime. When request processing utilizes a Uni cached using @CacheResult and the cached Uni reuses the initial "completion" context, the processing switches to the cached Uni instead of the request context. This is a problem if the cached Uni context contains sensitive information, and could allow a malicious user to benefit from a POST request returning the response that is meant for another user, gaining access to sensitive data.

AnalysisAI

A flaw was found in the Quarkus Cache Runtime. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable. No vendor patch available.

Technical ContextAI

This vulnerability is classified as Exposure of Sensitive Information (CWE-200), which allows attackers to access sensitive data that should not be disclosed. A flaw was found in the Quarkus Cache Runtime. When request processing utilizes a Uni cached using @CacheResult and the cached Uni reuses the initial "completion" context, the processing switches to the cached Uni instead of the request context. This is a problem if the cached Uni context contains sensitive information, and could allow a malicious user to benefit from a POST request returning the response that is meant for another user, gaining access to sensitive data. Affected products include: Redhat Build Of Quarkus.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Minimize information in error messages, implement proper access controls, encrypt sensitive data at rest and in transit.

CVE-2023-4853 HIGH POC
8.1 Sep 20

A flaw was found in Quarkus where HTTP security policies are not sanitizing certain character permutations correctly whe

CVE-2022-4116 CRITICAL
9.8 Nov 22

A vulnerability was found in quarkus. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no

CVE-2023-2974 HIGH
8.1 Jul 04

A vulnerability was found in quarkus-core. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, l

CVE-2022-1011 HIGH
7.8 Mar 18

A use-after-free flaw was found in the Linux kernel’s FUSE filesystem in the way a user triggers write(). Rated high sev

CVE-2023-6394 HIGH
7.4 Dec 09

A flaw was found in Quarkus. Rated high severity (CVSS 7.4), this vulnerability is remotely exploitable, no authenticati

CVE-2023-1108 HIGH
7.5 Sep 14

A flaw was found in undertow. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authenticat

CVE-2022-1259 HIGH
7.5 Aug 31

A flaw was found in Undertow. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authenticat

CVE-2021-20218 HIGH
7.4 Mar 16

A flaw was found in the fabric8 kubernetes-client in version 4.2.0 and after. Rated high severity (CVSS 7.4), this vulne

CVE-2023-1664 MEDIUM
6.5 May 26

A flaw was found in Keycloak. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentic

CVE-2023-0044 MEDIUM
6.1 Feb 23

If the Quarkus Form Authentication session cookie Path attribute is set to `/` then a cross-site attack may be initiated

CVE-2021-3642 MEDIUM
5.3 Aug 05

A flaw was found in Wildfly Elytron in versions prior to 1.10.14.Final, prior to 1.15.5.Final and prior to 1.16.1.Final

CVE-2021-3536 MEDIUM
4.8 May 20

A flaw was found in Wildfly in versions before 23.0.2.Final while creating a new role in domain mode via the admin conso

Share

CVE-2023-6393 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy