CVE-2023-4853 HIGH

CVE-2023-4853: Quarkus: http security policy bypass

Vendor Red Hat
Product Red Hat build of OptaPlanner 8
Weakness CWE-148
Published September 20, 2023
Last update November 7, 2025

CVSS base score

8.1/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

A flaw was found in Quarkus where HTTP security policies are not sanitizing certain character permutations correctly when accepting requests, resulting in incorrect evaluation of permissions. This issue could allow an attacker to bypass the security policy altogether, resulting in unauthorized endpoint access and possibly a denial of service.

Key dates

02Disclosure timeline

September 20, 2023 CVE published
November 7, 2025 Record updated