CVE-2023-2974

A vulnerability was found in quarkus-core. This vulnerability occurs because the TLS protocol configured with quarkus.http.ssl.protocols is not enforced, and the client can force the selection of the weaker supported TLS protocol.

CVSS v3 8.1 HIGH

8.1^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 5.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://access.redhat.com/errata/RHSA-2023:3809	Release Notes
https://access.redhat.com/security/cve/CVE-2023-2974	Vendor Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=2211026	Issue Tracking Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:redhat:build_of_quarkus:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2023-07-04 14:15

Updated : 2023-11-07 04:13

NVD link : CVE-2023-2974

Mitre link : CVE-2023-2974

CVE.ORG link : CVE-2023-2974

JSON object : View

Products Affected

redhat

build_of_quarkus

CWE

NVD-CWE-Other CWE-757

Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade')

{"id": "CVE-2023-2974", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.2, "exploitabilityScore": 2.8}, {"type": "Secondary", "source": "secalert@redhat.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 5.2, "exploitabilityScore": 1.2}]}, "published": "2023-07-04T14:15:09.473", "references": [{"url": "https://access.redhat.com/errata/RHSA-2023:3809", "tags": ["Release Notes"], "source": "secalert@redhat.com"}, {"url": "https://access.redhat.com/security/cve/CVE-2023-2974", "tags": ["Vendor Advisory"], "source": "secalert@redhat.com"}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2211026", "tags": ["Issue Tracking", "Vendor Advisory"], "source": "secalert@redhat.com"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-Other"}]}, {"type": "Secondary", "source": "secalert@redhat.com", "description": [{"lang": "en", "value": "CWE-757"}]}], "descriptions": [{"lang": "en", "value": "A vulnerability was found in quarkus-core. This vulnerability occurs because the TLS protocol configured with quarkus.http.ssl.protocols is not enforced, and the client can force the selection of the weaker supported TLS protocol."}], "lastModified": "2023-11-07T04:13:36.653", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:redhat:build_of_quarkus:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "AA14AAC6-1EBE-4249-8EAA-38CBFE82A63B", "versionEndExcluding": "2.13.8"}], "operator": "OR"}]}], "sourceIdentifier": "secalert@redhat.com"}

8.1 /10