High severityOSV Advisory· Published Oct 4, 2023· Updated Aug 2, 2024
Quarkus-oidc: id and access tokens leak via the authorization code flow
CVE-2023-1584
Description
A flaw was found in Quarkus. Quarkus OIDC can leak both ID and access tokens in the authorization code flow when an insecure HTTP protocol is used, which can allow attackers to access sensitive user data directly from the ID token or by using the access token to access user data from OIDC provider services. Please note that passwords are not stored in access tokens.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
io.quarkus:quarkus-oidcMaven | < 2.13.0.Final | 2.13.0.Final |
io.quarkus:quarkus-oidcMaven | >= 3.0.0, < 3.1.0.Final | 3.1.0.Final |
Affected products
2Patches
Vulnerability mechanics
References
12- access.redhat.com/errata/RHSA-2023:3809ghsavendor-advisoryx_refsource_REDHATWEB
- access.redhat.com/errata/RHSA-2023:7653ghsavendor-advisoryx_refsource_REDHATWEB
- github.com/advisories/GHSA-6hc9-cf8x-hf83ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-1584ghsaADVISORY
- access.redhat.com/security/cve/CVE-2023-1584ghsavdb-entryx_refsource_REDHATWEB
- bugzilla.redhat.com/show_bug.cgighsaissue-trackingx_refsource_REDHATWEB
- github.com/quarkusio/quarkus/commit/5369d7ff233d3afe84ecd9160c541fba52b38e69ghsaWEB
- github.com/quarkusio/quarkus/commit/df305ff12386cf28b33567b8d9a18db164f019ddghsaWEB
- github.com/quarkusio/quarkus/pull/32192ghsaWEB
- github.com/quarkusio/quarkus/pull/32192/commits/5369d7ff233d3afe84ecd9160c541fba52b38e69ghsaWEB
- github.com/quarkusio/quarkus/pull/33414ghsaWEB
- github.com/quarkusio/quarkus/pull/33414/commits/df305ff12386cf28b33567b8d9a18db164f019ddghsaWEB
News mentions
0No linked articles in our index yet.