CVE-2023-1584 HIGH

CVE-2023-1584: Quarkus-oidc: id and access tokens leak via the authorization code flow

Vendor Red Hat

Product RHINT Service Registry 2.5.4 GA

Weakness CWE-200 · Info exposure

Published October 4, 2023

Last update August 2, 2024

View on NVD All CVEs

CVSS base score

7.5/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality High

Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

What the vulnerability does

01Description

A flaw was found in Quarkus. Quarkus OIDC can leak both ID and access tokens in the authorization code flow when an insecure HTTP protocol is used, which can allow attackers to access sensitive user data directly from the ID token or by using the access token to access user data from OIDC provider services. Please note that passwords are not stored in access tokens.

Key dates

02Disclosure timeline

October 4, 2023 CVE published

August 2, 2024 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2023-1584 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/200.html

Related vulnerabilities

CVE-2023-1584: Quarkus-oidc: id and access tokens leak via the authorization code flow

01Description

02Disclosure timeline

03References

04Related CVE