Home > Vulnerability Database > CVE-2023-1584

Mend.io Vulnerability Database

CVE-2023-1584

Good to know:

Date: October 4, 2023

A flaw was found in Quarkus. Quarkus OIDC can leak both ID and access tokens in the authorization code flow when an insecure HTTP protocol is used, which can allow attackers to access sensitive user data directly from the ID token or by using the access token to access user data from OIDC provider services. Please note that passwords are not stored in access tokens.

Language: Java

Severity Score

7.5

Related Resources (8)

Url: https://nvd.nist.gov/vuln/detail/CVE-2023-1584

Url: https://github.com/quarkusio/quarkus/pull/33414

Url: https://bugzilla.redhat.com/show_bug.cgi?id=2180886

Url: https://access.redhat.com/security/cve/CVE-2023-1584

Url: https://access.redhat.com/errata/RHSA-2023:7653

Url: https://access.redhat.com/errata/RHSA-2023:3809

Url: https://github.com/quarkusio/quarkus/pull/32192

Url: https://www.mend.io/vulnerability-database/CVE-2023-1584

Severity Score

7.5

Weakness Type (CWE)

Information Leak / Disclosure

CWE-200

Insufficient Information

NVD-CWE-noinfo

Top Fix

Upgrade Version

Upgrade to version io.quarkus:quarkus-oidc:2.13.8.Final,3.1.0.CR1, io.quarkus:quarkus-oidc-common:2.13.8.Final,3.1.0.CR1

Learn More

CVSS v3.1

Base Score:	7.5
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	NONE
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2023-1584

Good to know:

Date: October 4, 2023

Language: Java

Severity Score

Related Resources (8)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?