CVE-2023-1584
Quarkus-oidc: id and access tokens leak via the authorization code flow
CVSS Score
7.5
EPSS Score
0.0%
EPSS Percentile
0th
A flaw was found in Quarkus. Quarkus OIDC can leak both ID and access tokens in the authorization code flow when an insecure HTTP protocol is used, which can allow attackers to access sensitive user data directly from the ID token or by using the access token to access user data from OIDC provider services. Please note that passwords are not stored in access tokens.
| CWE | CWE-200 |
| Published | Oct 4, 2023 |
| Last Updated | Aug 2, 2024 |
Stay Ahead of the Next One
Get instant alerts for
Be the first to know when new high vulnerabilities are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None
Affected Versions
Red Hat / Red Hat build of Quarkus 2.13.8.Final
All versions affected Red Hat / RHINT Service Registry 2.5.4 GA
All versions affected References
access.redhat.com: https://access.redhat.com/errata/RHSA-2023:3809 access.redhat.com: https://access.redhat.com/errata/RHSA-2023:7653 access.redhat.com: https://access.redhat.com/security/cve/CVE-2023-1584 bugzilla.redhat.com: https://bugzilla.redhat.com/show_bug.cgi?id=2180886 github.com: https://github.com/quarkusio/quarkus/pull/32192 github.com: https://github.com/quarkusio/quarkus/pull/33414
Credits
This issue was discovered by Paulo Lopes (Red Hat).