A flaw was found in the Quarkus Cache Runtime. When request processing utilizes a Uni cached using @CacheResult and the cached Uni reuses the initial "completion" context, the processing switches to the cached Uni instead of the request context. This is a problem if the cached Uni context contains sensitive information, and could allow a malicious user to benefit from a POST request returning the response that is meant for another user, gaining access to sensitive data.
References
Link | Resource |
---|---|
https://access.redhat.com/security/cve/CVE-2023-6393 | Vendor Advisory |
https://bugzilla.redhat.com/show_bug.cgi?id=2253113 | Issue Tracking Vendor Advisory |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: redhat
Published: 2023-12-06T16:58:54.230Z
Updated: 2024-04-25T15:57:25.820Z
Reserved: 2023-11-30T03:30:16.241Z
Link: CVE-2023-6393
JSON object: View
NVD Information
Status : Analyzed
Published: 2023-12-06T17:15:07.377
Modified: 2023-12-12T16:26:59.963
Link: CVE-2023-6393
JSON object: View
Redhat Information
No data.