CVE-2023-1584
Summary
| CVE | CVE-2023-1584 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2023-10-04 11:15:00 UTC |
| Updated | 2023-11-07 04:04:00 UTC |
| Description | A flaw was found in Quarkus. Quarkus OIDC can leak both ID and access tokens in the authorization code flow when an insecure HTTP protocol is used, which can allow attackers to access sensitive user data directly from the ID token or by using the access token to access user data from OIDC provider services. Please note that passwords are not stored in access tokens. |
Risk And Classification
Problem Types: NVD-CWE-noinfo
NVD Known Affected Configurations (CPE 2.3)
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| cve-details | MISC | access.redhat.com | |
| Red Hat | MISC | access.redhat.com | |
| Encrypt OIDC session cookie value by default by sberyozkin · Pull Request #32192 · quarkusio/quarkus · GitHub | MISC | github.com | |
| 2.13: Encrypt OIDC session cookie value by default by sberyozkin · Pull Request #33414 · quarkusio/quarkus · GitHub | MISC | github.com | |
| 2180886 – (CVE-2023-1584) CVE-2023-1584 quarkus-oidc: ID and access tokens leak via the authorization code flow | MISC | bugzilla.redhat.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
Legacy QID Mappings
- 995501 Java (Maven) Security Update for io.quarkus:quarkus-oidc (GHSA-6hc9-cf8x-hf83)