CVE-2023-2974 - OpenCVE

A vulnerability was found in quarkus-core. This vulnerability occurs because the TLS protocol configured with quarkus.http.ssl.protocols is not enforced, and the client can force the selection of the weaker supported TLS protocol.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Redhat	Build Of Quarkus

Configuration 1 [-]

cpe:2.3:a:redhat:build_of_quarkus:*:*:*:*:*:*:*:*

References

Link	Resource
https://access.redhat.com/errata/RHSA-2023:3809	Release Notes
https://access.redhat.com/security/cve/CVE-2023-2974	Vendor Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=2211026	Issue Tracking Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: redhat

Published: 2023-07-04T13:24:29.648Z

Updated: 2024-05-03T15:32:35.950Z

Reserved: 2023-05-30T10:06:53.993Z

Link: CVE-2023-2974

JSON object: View

NVD Information

Status : Modified

Published: 2023-07-04T14:15:09.473

Modified: 2023-11-07T04:13:36.653

Link: CVE-2023-2974

JSON object: View

Redhat Information

No data.

CWE

{"dataType": "CVE_RECORD", "dataVersion": "5.0", "cveMetadata": {"cveId": "CVE-2023-2974", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "state": "PUBLISHED", "assignerShortName": "redhat", "dateReserved": "2023-05-30T10:06:53.993Z", "datePublished": "2023-07-04T13:24:29.648Z", "dateUpdated": "2024-05-03T15:32:35.950Z"}, "containers": {"cna": {"title": "Quarkus-core: tls protocol configured with quarkus.http.ssl.protocols is not enforced, client can enforce weaker supported tls protocol", "metrics": [{"other": {"content": {"value": "Moderate", "namespace": "https://access.redhat.com/security/updates/classification/"}, "type": "Red Hat severity rating"}}, {"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "format": "CVSS"}], "descriptions": [{"lang": "en", "value": "A vulnerability was found in quarkus-core. This vulnerability occurs because the TLS protocol configured with quarkus.http.ssl.protocols is not enforced, and the client can force the selection of the weaker supported TLS protocol."}], "affected": [{"vendor": "Red Hat", "product": "Red Hat build of Quarkus 2.13.8.Final", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "io.quarkus/quarkus-grpc", "defaultStatus": "affected", "versions": [{"version": "2.13.8.Final-redhat-00004", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:quarkus:2.13"]}, {"vendor": "Red Hat", "product": "Red Hat build of Quarkus 2.13.8.Final", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "io.quarkus/quarkus-vertx-http", "defaultStatus": "affected", "versions": [{"version": "2.13.8.Final-redhat-00004", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:quarkus:2.13"]}], "references": [{"url": "https://access.redhat.com/errata/RHSA-2023:3809", "name": "RHSA-2023:3809", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/security/cve/CVE-2023-2974", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2211026", "name": "RHBZ#2211026", "tags": ["issue-tracking", "x_refsource_REDHAT"]}], "datePublic": "2023-06-29T00:00:00+00:00", "problemTypes": [{"descriptions": [{"cweId": "CWE-757", "description": "Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade')", "lang": "en", "type": "CWE"}]}], "x_redhatCweChain": "CWE-757: Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade')", "timeline": [{"lang": "en", "time": "2023-05-30T00:00:00+00:00", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2023-06-29T00:00:00+00:00", "value": "Made public."}], "credits": [{"lang": "en", "value": "This issue was discovered by Alexander Schwartz (Red Hat)."}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2024-05-03T15:32:35.950Z"}}}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:redhat:build_of_quarkus:*:*:*:*:*:*:*:*", "matchCriteriaId": "AA14AAC6-1EBE-4249-8EAA-38CBFE82A63B", "versionEndExcluding": "2.13.8", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "A vulnerability was found in quarkus-core. This vulnerability occurs because the TLS protocol configured with quarkus.http.ssl.protocols is not enforced, and the client can force the selection of the weaker supported TLS protocol."}], "id": "CVE-2023-2974", "lastModified": "2023-11-07T04:13:36.653", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 5.2, "source": "secalert@redhat.com", "type": "Secondary"}]}, "published": "2023-07-04T14:15:09.473", "references": [{"source": "secalert@redhat.com", "tags": ["Release Notes"], "url": "https://access.redhat.com/errata/RHSA-2023:3809"}, {"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "https://access.redhat.com/security/cve/CVE-2023-2974"}, {"source": "secalert@redhat.com", "tags": ["Issue Tracking", "Vendor Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2211026"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-757"}], "source": "secalert@redhat.com", "type": "Secondary"}]}