Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2023-1584

A flaw was found in Quarkus. Quarkus OIDC can leak both ID and access tokens in the authorization code flow when an insecure HTTP protocol is used, which can allow attackers to access sensitive user data directly from the ID token or by using the access token to access user data from OIDC provider services. Please note that passwords are not stored in access tokens.

Published

2023-10-04T11:15:09.770

Last Modified

2024-11-21T07:39:29.470

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 7.5 (HIGH)

Weaknesses

Type: Secondary
CWE-200
Type: Primary
NVD-CWE-noinfo

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	quarkus	quarkus	< 2.13.8	Yes

References

https://access.redhat.com/errata/RHSA-2023:3809 Third Party Advisory ([email protected])
https://access.redhat.com/errata/RHSA-2023:7653 ([email protected])
https://access.redhat.com/security/cve/CVE-2023-1584 Third Party Advisory ([email protected])
https://bugzilla.redhat.com/show_bug.cgi?id=2180886 Issue Tracking, Third Party Advisory ([email protected])
https://github.com/quarkusio/quarkus/pull/32192 Vendor Advisory ([email protected])
https://github.com/quarkusio/quarkus/pull/33414 Vendor Advisory ([email protected])
https://access.redhat.com/errata/RHSA-2023:3809 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://access.redhat.com/errata/RHSA-2023:7653 (af854a3a-2127-422b-91ae-364da2661108)
https://access.redhat.com/security/cve/CVE-2023-1584 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://bugzilla.redhat.com/show_bug.cgi?id=2180886 Issue Tracking, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://github.com/quarkusio/quarkus/pull/32192 Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://github.com/quarkusio/quarkus/pull/33414 Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)