{"id":"CVE-2023-4853","details":"A flaw was found in Quarkus where HTTP security policies are not sanitizing certain character permutations correctly when accepting requests, resulting in incorrect evaluation of permissions. This issue could allow an attacker to bypass the security policy altogether, resulting in unauthorized endpoint access and possibly a denial of service.","aliases":["GHSA-4f4r-wgv2-jjvg"],"modified":"2026-04-02T09:39:11.529045Z","published":"2023-09-20T10:15:14.947Z","references":[{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2023:5170"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2023:5310"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2023:5337"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2023:5446"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2023:5479"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2023:6107"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2023:5480"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2023:6112"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2023:7653"},{"type":"ADVISORY","url":"https://access.redhat.com/security/cve/CVE-2023-4853"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2238034"},{"type":"EVIDENCE","url":"https://access.redhat.com/security/vulnerabilities/RHSB-2023-002"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/quarkusio/quarkus","events":[{"introduced":"0"},{"fixed":"1944de146a5e62dcf6d2cf631dd732bd5fbed069"},{"introduced":"f9711bd42f79221a5bf9507e1ff0bd9db61601a3"},{"fixed":"8b233d5b3f101f1e6ef4bc8a4307ca6f78a1ce8e"},{"introduced":"2c6f8b84a115fbab00e562591a277dbeb8869c8d"},{"fixed":"2ecbdf55b9b0b96577607e0226f4f487f3162ef2"},{"introduced":"e37be4694aaef028733802065212f954dc4d408d"},{"fixed":"e77605f599e0f71f05e27dfd81308628ae7ffba3"},{"introduced":"0"},{"fixed":"b51a73c5755c315958edc464d51929d1e72c91ad"},{"introduced":"0"},{"last_affected":"20bcdc130907e26c1382206de4301d3b7f4e8c55"},{"introduced":"0"},{"last_affected":"20bcdc130907e26c1382206de4301d3b7f4e8c55"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"2.16.11"},{"introduced":"3.2.0"},{"fixed":"3.2.6"},{"introduced":"3.3.0"},{"fixed":"3.3.3"},{"introduced":"2.13.0"},{"fixed":"2.13.8"},{"introduced":"0"},{"fixed":"1.10.2"},{"introduced":"0"},{"last_affected":"1.0"},{"introduced":"0"},{"last_affected":"1.0"}]}}],"versions":["0.0.1","0.1.0","0.10.0","0.11.0","0.12.0","0.13.0","0.13.1","0.13.2","0.13.3","0.14.0","0.15.0","0.16.0","0.16.1","0.17.0","0.18.0","0.19.0","0.19.1","0.2.0","0.20.0","0.21.0","0.21.1","0.21.2","0.22.0","0.23.0","0.23.1","0.23.2","0.24.0","0.25.0","0.26.0","0.26.1","0.27.0","0.28.0","0.28.1","0.3.0","0.4.0","0.5.0","0.6.0","0.7.0","0.8.0","0.9.0","0.9.1","1.0.0.CR1","1.0.0.CR2","1.0.0.Final","1.0.1.Final","1.1.0.CR1","1.1.0.Final","1.1.1.Final","1.10.0.CR1","1.10.0.Final","1.10.1.Final","1.10.3.Final","1.10.4.Final","1.10.5.Final","1.11.0.Beta1","1.11.0.Beta2","1.11.0.CR1","1.11.0.Final","1.11.1.Final","1.11.2.Final","1.11.3.Final","1.11.4.Final","1.11.5.Final","1.11.6.Final","1.11.7.Final","1.12.0.CR1","1.12.0.Final","1.12.1.Final","1.12.2.Final","1.13.0.CR1","1.13.0.Final","1.13.1.Final","1.13.2.Final","1.13.3.Final","1.13.4.Final","1.13.5.Final","1.13.6.Final","1.13.7.Final","1.2.0.CR1","1.2.0.Final","1.2.1.Final","1.3.0.Alpha1","1.3.0.Alpha2","1.3.0.CR1","1.3.0.CR2","1.3.0.Final","1.3.1.Final","1.3.2.Final","1.3.3.Final","1.3.4.Final","1.4.0.CR1","1.4.0.Final","1.4.1.Final","1.4.2.Final","1.5.0.CR1","1.5.0.Final","1.5.1.Final","1.5.2.Final","1.6.0.CR1","1.6.0.Final","1.6.1.Final","1.7.0.CR1","1.7.0.CR2","1.7.0.Final","1.7.1.Final","1.7.2.Final","1.7.3.Final","1.7.4.Final","1.7.5.Final","1.7.6.Final","1.8.0.CR1","1.8.0.Final","1.8.1.Final","1.8.2.Final","1.8.3.Final","1.9.0.CR1","1.9.0.Final","1.9.1.Final","1.9.2.Final","2.0.0.Alpha1","2.0.0.Alpha2","2.0.0.Alpha3","2.0.0.CR1","2.0.0.CR2","2.0.0.CR3","2.0.0.Final","2.0.1.Final","2.0.2.Final","2.0.3.Final","2.1.0.CR1","2.1.0.Final","2.1.1.Final","2.1.2.Final","2.1.3.Final","2.1.4.Final","2.10.0.CR1","2.10.0.Final","2.10.1.Final","2.10.2.Final","2.10.3.Final","2.10.4.Final","2.11.0.CR1","2.11.0.Final","2.11.1.Final","2.11.2.Final","2.11.3.Final","2.12.0.CR1","2.12.0.Final","2.12.1.Final","2.12.2.Final","2.12.3.Final","2.13.0.CR1","2.13.0.Final","2.13.1.Final","2.13.2.Final","2.13.3.Final","2.13.4.Final","2.13.5.Final","2.13.6.Final","2.13.7.Final","2.13.9.Final","2.14.0.CR1","2.14.0.Final","2.14.1.Final","2.14.2.Final","2.14.3.Final","2.15.0.CR1","2.15.0.Final","2.15.1.Final","2.15.2.Final","2.15.3.Final","2.16.0.CR1","2.16.0.Final","2.16.1.Final","2.16.10.Final","2.16.12.Final","2.16.2.Final","2.16.3.Final","2.16.4.Final","2.16.5.Final","2.16.6.Final","2.16.7.Final","2.16.8.Final","2.16.9.Final","2.2.0.CR1","2.2.0.Final","2.2.1.Final","2.2.2.Final","2.2.3.Final","2.2.4.Final","2.2.5.Final","2.3.0.CR1","2.3.0.Final","2.3.1.Final","2.4.0.CR1","2.4.0.Final","2.4.1.Final","2.4.2.Final","2.5.0.CR1","2.5.0.Final","2.5.1.Final","2.5.2.Final","2.5.3.Final","2.5.4.Final","2.6.0.CR1","2.6.0.Final","2.6.1.Final","2.6.2.Final","2.6.3.Final","2.7.0.CR1","2.7.0.Final","2.7.1.Final","2.7.2.Final","2.7.3.Final","2.7.4.Final","2.7.5.Final","2.7.6.Final","2.7.7.Final","2.8.0.CR1","2.8.0.Final","2.8.1.Final","2.8.2.Final","2.8.3.Final","2.9.0.CR1","2.9.0.Final","2.9.1.Final","2.9.2.Final","3.0.0.Alpha1","3.0.0.Alpha2","3.0.0.Alpha3","3.0.0.Alpha4","3.0.0.Alpha5","3.0.0.Alpha6","3.0.0.Beta1","3.0.0.CR1","3.0.0.CR2","3.0.0.Final","3.0.1.Final","3.0.2.Final","3.0.3.Final","3.0.4.Final","3.1.0.CR1","3.1.0.Final","3.1.1.Final","3.1.2.Final","3.1.3.Final","3.10.0","3.10.0.CR1","3.10.1","3.10.2","3.11.0","3.11.0.CR1","3.11.1","3.11.2","3.11.3","3.12.0","3.12.0.CR1","3.12.1","3.12.2","3.12.3","3.13.0","3.13.0.CR1","3.13.1","3.13.2","3.13.3","3.14.0","3.14.0.CR1","3.14.1","3.14.2","3.14.3","3.14.4","3.15.0","3.15.0.CR1","3.15.1","3.15.2","3.15.3","3.15.3.1","3.15.4","3.15.5","3.15.6","3.15.6.1","3.15.6.2","3.15.7","3.16.0","3.16.0.CR1","3.16.1","3.16.2","3.16.3","3.16.4","3.17.0","3.17.0.CR1","3.17.1","3.17.2","3.17.3","3.17.4","3.17.5","3.17.6","3.17.7","3.17.8","3.18.0","3.18.0.CR1","3.18.1","3.18.2","3.18.3","3.18.4","3.19.0","3.19.0.CR1","3.19.1","3.19.2","3.19.3","3.19.4","3.2.0.CR1","3.2.0.Final","3.2.1.Final","3.2.10.Final","3.2.11.Final","3.2.12.Final","3.2.2.Final","3.2.3.Final","3.2.4.Final","3.2.5.Final","3.2.7.Final","3.2.8.Final","3.2.9.Final","3.20.0","3.20.0.CR1","3.20.1","3.20.2","3.20.2.1","3.20.2.2","3.20.3","3.20.4","3.20.5","3.21.0","3.21.0.CR1","3.21.1","3.21.2","3.21.3","3.21.4","3.22.0","3.22.0.CR1","3.22.1","3.22.2","3.22.3","3.23.0","3.23.0.CR1","3.23.1","3.23.2","3.23.3","3.23.4","3.24.0","3.24.0.CR1","3.24.1","3.24.2","3.24.3","3.24.4","3.24.5","3.25.0","3.25.0.CR1","3.25.1","3.25.2","3.25.3","3.25.4","3.26.0","3.26.0.CR1","3.26.1","3.26.2","3.26.3","3.26.4","3.27.0","3.27.0.CR1","3.27.1","3.27.2","3.28.0","3.28.0.CR1","3.28.1","3.28.2","3.28.3","3.28.4","3.28.5","3.29.0","3.29.0.CR1","3.29.1","3.29.2","3.29.3","3.29.4","3.3.0","3.3.0.CR1","3.3.1","3.3.2","3.30.0","3.30.0.CR1","3.30.1","3.30.2","3.30.3","3.30.4","3.30.5","3.30.6","3.31.0.CR1","3.4.0","3.4.0.CR1","3.4.1","3.4.2","3.4.3","3.5.0","3.5.0.CR1","3.5.1","3.5.2","3.5.3","3.6.0","3.6.0.CR1","3.6.1","3.6.2","3.6.3","3.6.4","3.6.5","3.6.6","3.6.7","3.6.8","3.6.9","3.7.0","3.7.0.CR1","3.7.1","3.7.2","3.7.3","3.7.4","3.8.0","3.8.0.CR1","3.8.1","3.8.2","3.8.3","3.8.4","3.8.5","3.8.6","3.8.6.1","3.9.0","3.9.0.CR1","3.9.0.CR2","3.9.1","3.9.2","3.9.3","3.9.4","3.9.5"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-4853.json","unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"8.0"}]},{"events":[{"introduced":"0"},{"last_affected":"7.0"}]},{"events":[{"introduced":"0"},{"last_affected":"1"}]},{"events":[{"introduced":"0"},{"last_affected":"7.0"}]},{"events":[{"introduced":"0"},{"last_affected":"4.10"}]},{"events":[{"introduced":"0"},{"last_affected":"4.11"}]},{"events":[{"introduced":"0"},{"last_affected":"4.12"}]}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}