CVE-2022-4116 | Mend Vulnerability Database

Vulnerability DatabaseCVE-2022-4116

CVE-2022-4116

November 22, 2022

A vulnerability was found in quarkus. This security flaw happens in Dev UI Config Editor which is vulnerable to drive-by localhost attacks leading to remote code execution.

Affected Packages

io.quarkus:quarkus-vertx-http-deployment (JAVA):

Affected version(s) >=0.23.0 <2.13.5.Final

Fix Suggestion:

Update to version 2.13.5.Final

io.quarkus:quarkus-vertx-http-deployment (JAVA):

Affected version(s) >=2.14.0.Final <2.14.2.Final

Fix Suggestion:

Update to version 2.14.2.Final

Related Resources (6)

https://github.com/quarkusio/quarkus/discussions/29527#discussioncomment-4387809

https://nvd.nist.gov/vuln/detail/CVE-2022-4116

https://github.com/quarkusio/quarkus

https://access.redhat.com/security/cve/CVE-2022-4116

https://bugzilla.redhat.com/show_bug.cgi?id=2144748

https://github.com/quarkusio/quarkus/discussions/29527

Do you need more information?

CVSS v4

Base Score:

9.3

Attack Vector

NETWORK

Attack Complexity

LOW

Attack Requirements

NONE

Privileges Required

NONE

User Interaction

NONE

Vulnerable System Confidentiality

HIGH

Vulnerable System Integrity

HIGH

Vulnerable System Availability

HIGH

Subsequent System Confidentiality

NONE

Subsequent System Integrity

NONE

Subsequent System Availability

NONE

CVSS v3

Base Score:

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Weakness Type (CWE)

Improper Control of Generation of Code ('Code Injection')

CWE-94

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

CWE-74

EPSS

Base Score:

2.90

Products

Solutions

Resources

Company

Compare

Developer Tools