#VU72324 Information disclosure in Quarkus - CVE-2023-0044

Cybersecurity Help s.r.o.

Published: 2023-02-16

Vulnerability identifier: #VU72324

Vulnerability risk: Low

CVSSv4.0: 1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2023-0044

CWE-ID: CWE-200

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Quarkus
Server applications / Frameworks for developing and running applications

Vendor: Red Hat Inc.

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists if Quarkus Form Authentication session cookie Path attribute is set to "/". A remote attacker can perform a cross-site attack and obtain sensitive information from the cookie. The vulnerability affects Vert.x HTTP component.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Quarkus: 2.13.0-CR1 - 2.13.6

External links
https://bugzilla.redhat.com/show_bug.cgi?id=2158081

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in Dell Data Protection Central

Multiple vulnerabilities in IBM Cloud Pak for Watson AIOps

Multiple vulnerabilities in Red Hat build of Quarkus