VYPR
High severityOSV Advisory· Published Oct 4, 2023· Updated Aug 2, 2024

Quarkus-oidc: id and access tokens leak via the authorization code flow

CVE-2023-1584

Description

A flaw was found in Quarkus. Quarkus OIDC can leak both ID and access tokens in the authorization code flow when an insecure HTTP protocol is used, which can allow attackers to access sensitive user data directly from the ID token or by using the access token to access user data from OIDC provider services. Please note that passwords are not stored in access tokens.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
io.quarkus:quarkus-oidcMaven
< 2.13.0.Final2.13.0.Final
io.quarkus:quarkus-oidcMaven
>= 3.0.0, < 3.1.0.Final3.1.0.Final

Affected products

2

Patches

Vulnerability mechanics

References

12

News mentions

0

No linked articles in our index yet.