Product:

Quarkus

(Quarkus)
Repositories

Unknown:

This might be proprietary software.

#Vulnerabilities 45
Date Id Summary Products Score Patch Annotated
2024-01-25 CVE-2023-6267 A flaw was found in the json payload. If annotation based security is used to secure a REST resource, the JSON body that the resource may consume is being processed (deserialized) prior to the security constraints being evaluated and applied. This does not happen with configuration based security. Quarkus 9.8
2021-02-25 CVE-2021-20328 Specific versions of the Java driver that support client-side field level encryption (CSFLE) fail to perform correct host name verification on the KMS server’s certificate. This vulnerability in combination with a privileged network position active MITM attack could result in interception of traffic between the Java driver and the KMS service rendering Field Level Encryption ineffective. This issue was discovered during internal testing and affects all versions of the Java driver that... Java_driver, Quarkus 6.8
2022-10-02 CVE-2022-42003 In FasterXML jackson-databind before versions 2.13.4.1 and 2.12.17.1, resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled. Debian_linux, Jackson\-Databind, Oncommand_workflow_automation, Quarkus 7.5
2023-09-20 CVE-2023-4853 A flaw was found in Quarkus where HTTP security policies are not sanitizing certain character permutations correctly when accepting requests, resulting in incorrect evaluation of permissions. This issue could allow an attacker to bypass the security policy altogether, resulting in unauthorized endpoint access and possibly a denial of service. Quarkus, Build_of_optaplanner, Build_of_quarkus, Decision_manager, Integration_camel_k, Integration_camel_quarkus, Integration_service_registry, Jboss_middleware, Jboss_middleware_text\-Only_advisories, Openshift_container_platform, Openshift_serverless, Process_automation_manager 8.1
2023-12-09 CVE-2023-6394 A flaw was found in Quarkus. This issue occurs when receiving a request over websocket with no role-based permission specified on the GraphQL operation, Quarkus processes the request without authentication despite the endpoint being secured. This can allow an attacker to access information and functionality outside of normal granted API permissions. Quarkus, Build_of_quarkus 9.1
2023-11-15 CVE-2023-5720 A flaw was found in Quarkus, where it does not properly sanitize artifacts created using the Gradle plugin, allowing certain build system information to remain. This flaw allows an attacker to access potentially sensitive information from the build system within the application. Quarkus 7.5
2019-12-12 CVE-2017-18640 The Alias feature in SnakeYAML before 1.26 allows entity expansion during a load operation, a related issue to CVE-2003-1564. Fedora, Peoplesoft_enterprise_pt_peopletools, Quarkus, Snakeyaml 7.5
2020-04-06 CVE-2020-1728 A vulnerability was found in all versions of Keycloak where, the pages on the Admin Console area of the application are completely missing general HTTP security headers in HTTP-responses. This does not directly lead to a security issue, yet it might aid attackers in their efforts to exploit other problems. The flaws unnecessarily make the servers more prone to Clickjacking, channel downgrade attacks and other similar client-based attack vectors. Quarkus, Keycloak 5.4
2020-05-06 CVE-2020-10693 A flaw was found in Hibernate Validator version 6.1.2.Final. A bug in the message interpolation processor enables invalid EL expressions to be evaluated as if they were valid. This flaw allows attackers to bypass input sanitation (escaping, stripping) controls that developers may have put in place when handling user-controlled data in error messages. Websphere_application_server, Weblogic_server, Quarkus, Hibernate_validator, Jboss_enterprise_application_platform, Satellite, Satellite_capsule 5.3
2020-06-04 CVE-2020-13692 PostgreSQL JDBC Driver (aka PgJDBC) before 42.2.13 allows XXE. Debian_linux, Fedora, Steelstore_cloud_integrated_storage, Postgresql_jdbc_driver, Quarkus 7.7