High severityNVD Advisory· Published Sep 20, 2023· Updated Nov 7, 2025

Quarkus: http security policy bypass

CVE-2023-4853

Description

A flaw was found in Quarkus where HTTP security policies are not sanitizing certain character permutations correctly when accepting requests, resulting in incorrect evaluation of permissions. This issue could allow an attacker to bypass the security policy altogether, resulting in unauthorized endpoint access and possibly a denial of service.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
io.quarkus:quarkus-vertx-httpMaven	< 2.16.11.Final	2.16.11.Final
io.quarkus:quarkus-vertx-httpMaven	>= 3.0.0, < 3.2.6.Final	3.2.6.Final
io.quarkus:quarkus-vertx-httpMaven	>= 3.3.0, < 3.3.3	3.3.3
io.quarkus:quarkus-undertowMaven	< 2.16.11.Final	2.16.11.Final
io.quarkus:quarkus-undertowMaven	>= 3.0.0, < 3.2.6.Final	3.2.6.Final
io.quarkus:quarkus-undertowMaven	>= 3.3.0, < 3.3.3	3.3.3
io.quarkus:quarkus-csrf-reactiveMaven	< 2.16.11.Final	2.16.11.Final
io.quarkus:quarkus-csrf-reactiveMaven	>= 3.0.0, < 3.2.6.Final	3.2.6.Final
io.quarkus:quarkus-csrf-reactiveMaven	>= 3.3.0, < 3.3.3	3.3.3
io.quarkus:quarkus-keycloak-authorizationMaven	< 2.16.11.Final	2.16.11.Final
io.quarkus:quarkus-keycloak-authorizationMaven	>= 3.0.0, < 3.2.6.Final	3.2.6.Final
io.quarkus:quarkus-keycloak-authorizationMaven	>= 3.3.0, < 3.3.3	3.3.3

Affected products

Red Hat/RHINT Camel-K-1.10.2v5
cpe:/a:redhat:camel_k:1
Red Hat/Red Hat Camel Extensions for Quarkus 2.13.3-1v5
cpe:/a:redhat:camel_quarkus:2.13
Red Hat/Process Automationcpe-rescue
cpe:/a:redhat:jboss_enterprise_bpms_platform:7
Red Hat/RHPAM 7.13.4 asyncv5
cpe:/a:redhat:jboss_enterprise_bpms_platform:7.13
Red Hat/Red Hat OpenShift Serverless 1.30v5
cpe:/a:redhat:openshift_serverless:1.30::el8
Range: 1.30.0-6
Red Hat/Red Hat build of OptaPlanner 8v5
cpe:/a:redhat:optaplanner:::el6
Red Hat/Red Hat build of Quarkus 2.13.8.SP2v5
cpe:/a:redhat:quarkus:2.13
Range: 2.13.8.Final-redhat-00005
Red Hat/RHEL-8 based Middleware Containersv5
cpe:/a:redhat:rhosemc:1.0::el8
Range: 7.13.4-3
Red Hat/Openshift Serverless 1 on RHEL 8v5
cpe:/a:redhat:serverless:1.0::el8
Range: 0:1.9.2-3.el8
Red Hat/RHINT Service Registry 2.5.4 GAv5
cpe:/a:redhat:service_registry:2.5
ghsa-coords4 versions
pkg:maven/io.quarkus/quarkus-csrf-reactive pkg:maven/io.quarkus/quarkus-keycloak-authorization pkg:maven/io.quarkus/quarkus-undertow pkg:maven/io.quarkus/quarkus-vertx-http
< 2.16.11.Final+ 3 more
- (no CPE)range: < 2.16.11.Final
- (no CPE)range: < 2.16.11.Final
- (no CPE)range: < 2.16.11.Final
- (no CPE)range: < 2.16.11.Final

Patches

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

access.redhat.com/errata/RHSA-2023:5170ghsavendor-advisoryx_refsource_REDHATWEB
access.redhat.com/errata/RHSA-2023:5310ghsavendor-advisoryx_refsource_REDHATWEB
access.redhat.com/errata/RHSA-2023:5337ghsavendor-advisoryx_refsource_REDHATWEB
access.redhat.com/errata/RHSA-2023:5446ghsavendor-advisoryx_refsource_REDHATWEB
access.redhat.com/errata/RHSA-2023:5479ghsavendor-advisoryx_refsource_REDHATWEB
access.redhat.com/errata/RHSA-2023:5480ghsavendor-advisoryx_refsource_REDHATWEB
access.redhat.com/errata/RHSA-2023:6107ghsavendor-advisoryx_refsource_REDHATWEB
access.redhat.com/errata/RHSA-2023:6112ghsavendor-advisoryx_refsource_REDHATWEB
access.redhat.com/errata/RHSA-2023:7653ghsavendor-advisoryx_refsource_REDHATWEB
github.com/advisories/GHSA-4f4r-wgv2-jjvgghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2023-4853ghsaADVISORY
access.redhat.com/articles/11258ghsaWEB
access.redhat.com/security/cve/CVE-2023-4853ghsavdb-entryx_refsource_REDHATWEB
access.redhat.com/security/vulnerabilities/RHSB-2023-002ghsatechnical-descriptionx_refsource_REDHATWEB
bugzilla.redhat.com/show_bug.cgighsaissue-trackingx_refsource_REDHATWEB
github.com/quarkusio/quarkus/issues/35785ghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.455
epss	0.001
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000