Red Hat Quarkus

Smallrye Fault Tolerance OOM DoS via /metrics URI
CVE-2025-2240 7.5 - High - March 12, 2025

A flaw was found in Smallrye, where smallrye-fault-tolerance is vulnerable to an out-of-memory (OOM) issue. This vulnerability is externally triggered when calling the metrics URI. Every call creates a new object within meterMap and may lead to a denial of service (DoS) issue.

Stack Exhaustion

Memory Leak in Quarkus RESTEasy Extension (CVE-2025-1634)
CVE-2025-1634 7.5 - High - February 26, 2025

A flaw was found in the quarkus-resteasy extension, which causes memory leaks when client requests with low timeouts are made. If a client request times out, a buffer is not released correctly, leading to increased memory usage and eventual application crash due to OutOfMemoryError.

Memory Leak

Quarkus REST: Concurrency Data Leak via Unsandboxed Field Injection
CVE-2025-1247 8.3 - High - February 13, 2025

A flaw was found in Quarkus REST that allows request parameters to leak between concurrent requests if endpoints use field injection without a CDI scope. This vulnerability allows attackers to manipulate request data, impersonate users, or access sensitive information.

Exposure of Data Element to Wrong Session

Quarkus-HTTP Cookie Parsing Vulnerability
CVE-2024-12397 7.4 - High - December 12, 2024

A flaw was found in Quarkus-HTTP, which incorrectly parses cookies with certain value-delimiting characters in incoming requests. This issue could allow an attacker to construct a cookie value to exfiltrate HttpOnly cookie values or spoof arbitrary additional cookie values, leading to unauthorized data access or modification. The main threat from this flaw impacts data confidentiality and integrity.

HTTP Request Smuggling

Undertow ProxyProtocolReadListener StringBuilder reuse info-leak
CVE-2024-7885 7.5 - High - August 21, 2024

A vulnerability was found in Undertow where the ProxyProtocolReadListener reuses the same StringBuilder instance across multiple requests. This issue occurs when the parseProxyProtocolV1 method processes multiple requests on the same HTTP connection. As a result, different requests may share the same StringBuilder instance, potentially leading to information leakage between requests or responses. In some cases, a value from a previous request or response may be erroneously reused, which could lead to unintended data exposure. This issue primarily results in errors and connection termination but creates a risk of data leakage in multi-request environments.

Race Condition

Undertow MaxAge Default -1 Exposes HTTP Learning-Push handler
CVE-2024-3653 5.3 - Medium - July 08, 2024

A vulnerability was found in Undertow. This issue requires enabling the learning-push handler in the server's config, which is disabled by default, leaving the maxAge config in the handler unconfigured. The default is -1, which makes the handler vulnerable. If someone overwrites that config, the server is not subject to the attack. The attacker needs to be able to reach the server with a normal HTTP request.

Memory Leak

Undertow Chunked DoS: Missing 0\r\n Termination in Java 17 TLSv1.3
CVE-2024-5971 7.5 - High - July 08, 2024

A vulnerability was found in Undertow, where the chunked response hangs after the body was flushed. The response headers and body were sent but the client would continue waiting as Undertow does not send the expected 0\r\n termination of the chunked response. This results in uncontrolled resource consumption, leaving the server side to a denial of service attack. This happens only with Java 17 TLSv1.3 scenarios.

Stack Exhaustion

Denial of Service via Excessive Resource Consumption in Quarkus RESTEasy Reactive
CVE-2024-1726 - April 25, 2024

A flaw was discovered in the RESTEasy Reactive implementation in Quarkus. Due to security checks for some JAX-RS endpoints being performed after serialization, more processing resources are consumed while the HTTP request is checked. In certain configurations, if an attacker has knowledge of any POST, PUT, or PATCH request paths, they can potentially identify vulnerable endpoints and trigger excessive resource usage as the endpoints process the requests. This can result in a denial of service.

Improper Preservation of Permissions

Quarkus JAX-RS Auth Bypass via Abstract Class Methods
CVE-2023-5675 6.5 - Medium - April 25, 2024

A flaw was found in Quarkus. When a Quarkus RestEasy Classic or Reactive JAX-RS endpoint has its methods declared in the abstract Java class or customized by Quarkus extensions using the annotation processor, the authorization of these methods will not be enforced if it is enabled by either 'quarkus.security.jaxrs.deny-unannotated-endpoints' or 'quarkus.security.jaxrs.default-roles-allowed' properties.

AuthZ

Keycloak XSS via Malicious ACS URLs (CVE-2023-6717)
CVE-2023-6717 6 - Medium - April 25, 2024

A flaw was found in the SAML client registration in Keycloak that could allow an administrator to register malicious JavaScript URIs as Assertion Consumer Service POST Binding URLs (ACS), posing a Cross-Site Scripting (XSS) risk. This issue may allow a malicious admin in one realm or a client with registration access to target users in different realms or applications, executing arbitrary JavaScript in their contexts upon form submission. This can enable unauthorized access and harmful actions, compromising the confidentiality, integrity, and availability of the complete KC instance.

XSS

Keycloak Redirect URI Validation Bypass via Wildcard URIs
CVE-2024-1132 8.1 - High - April 17, 2024

A flaw was found in Keycloak, where it does not properly validate URLs included in a redirect. This issue could allow an attacker to construct a malicious request to bypass validation and access other URLs and sensitive information within the domain or conduct further attacks. This flaw affects any client that utilizes a wildcard in the Valid Redirect URIs field, and requires user interaction within the malicious URL.

Directory traversal

Quarkus Core Env Var Leakage in Build
CVE-2024-2700 7 - High - April 04, 2024

A vulnerability was found in the quarkus-core component. Quarkus captures local environment variables from the Quarkus namespace during the application's build, therefore, running the resulting application inherits the values captured at build time. Some local environment variables may have been set by the developer or CI environment for testing purposes, such as dropping the database during application startup or trusting all TLS certificates to accept self-signed certificates. If these properties are configured using environment variables or the .env facility, they are captured into the built application, which can lead to dangerous behavior if the application does not override these values. This behavior only happens for configuration properties from the `quarkus.*` namespace. Application-specific properties are not captured.

Exposure of Sensitive Information Through Environmental Variables

Memory Leak in Eclipse Vert.x TCP TLS Server via Fake SNI
CVE-2024-1300 5.4 - Medium - April 02, 2024

A vulnerability in the Eclipse Vert.x toolkit causes a memory leak in TCP servers configured with TLS and SNI support. When processing an unknown SNI server name assigned the default certificate instead of a mapped certificate, the SSL context is erroneously cached in the server name map, leading to memory exhaustion. This flaw allows attackers to send TLS client hello messages with fake server names, triggering a JVM out-of-memory error.

Memory Leak

Vert.x HTTP Client Memory Leak via Netty FastThreadLocal
CVE-2024-1023 6.5 - Medium - March 27, 2024

A vulnerability in the Eclipse Vert.x toolkit results in a memory leak due to using Netty FastThreadLocal data structures. Specifically, when the Vert.x HTTP client establishes connections to different hosts, triggering the memory leak. The leak can be accelerated with intimate runtime knowledge, allowing an attacker to exploit this vulnerability. For instance, a server accepting arbitrary internet addresses could serve as an attack vector by connecting to these addresses, thereby accelerating the memory leak.

Memory Leak

Undertow WriteTimeoutStreamSinkConduit Causing Memory/File Exhaustion
CVE-2024-1635 7.5 - High - February 19, 2024

A vulnerability was found in Undertow. This vulnerability impacts a server that supports the wildfly-http-client protocol. Whenever a malicious user opens and closes a connection with the HTTP port of the server and then closes the connection immediately, the server will end with both memory and open file limits exhausted at some point, depending on the amount of memory available. At HTTP upgrade to remoting, the WriteTimeoutStreamSinkConduit leaks connections if RemotingConnection is closed by Remoting ServerConnectionOpenListener. Because the remoting connection originates in Undertow as part of the HTTP upgrade, there is an external layer to the remoting connection. This connection is unaware of the outermost layer when closing the connection during the connection opening procedure. Hence, the Undertow WriteTimeoutStreamSinkConduit is not notified of the closed connection in this scenario. Because WriteTimeoutStreamSinkConduit creates a timeout task, the whole dependency tree leaks via that task, which is added to XNIO WorkerThread. So, the workerThread points to the Undertow conduit, which contains the connections and causes the leak.

Resource Exhaustion

Undertow PT: Remote Attacker Can Access Privileged Files via Malformed HTTP
CVE-2024-1459 5.3 - Medium - February 12, 2024

A path traversal vulnerability was found in Undertow. This issue may allow a remote attacker to append a specially-crafted sequence to an HTTP request for an application deployed to JBoss EAP, which may permit access to privileged or restricted files and directories.

Path Traversal: '../filedir'

Deserialization Before Auth in SpringSec CVE-2023-6267
CVE-2023-6267 8.6 - High - January 25, 2024

A flaw was found in the json payload. If annotation based security is used to secure a REST resource, the JSON body that the resource may consume is being processed (deserialized) prior to the security constraints being evaluated and applied. This does not happen with configuration based security.

Improper Handling of Exceptional Conditions

Java: Infinispan Unmarshal OOM DoS from Circular Object Ref
CVE-2023-5236 4.4 - Medium - December 18, 2023

A flaw was found in Infinispan, which does not detect circular object references when unmarshalling. An authenticated attacker with sufficient permissions could insert a maliciously constructed object into the cache and use it to cause out of memory errors and achieve a denial of service.

Undertow AJP max-header-size DoS via mod_cluster error state
CVE-2023-5379 7.5 - High - December 12, 2023

A flaw was found in Undertow. When an AJP request is sent that exceeds the max-header-size attribute in ajp-listener, JBoss EAP is marked in an error state by mod_cluster in httpd, causing JBoss EAP to close the TCP connection without returning an AJP response. This happens because mod_proxy_cluster marks the JBoss EAP instance as an error worker when the TCP connection is closed from the backend after sending the AJP request without receiving an AJP response, and stops forwarding. This issue could allow a malicious user could to repeatedly send requests that exceed the max-header-size, causing a Denial of Service (DoS).

Allocation of Resources Without Limits or Throttling

Quarkus WebSocket GraphQL Auth Bypass by Missing Role Permission
CVE-2023-6394 7.4 - High - December 09, 2023

A flaw was found in Quarkus. This issue occurs when receiving a request over websocket with no role-based permission specified on the GraphQL operation, Quarkus processes the request without authentication despite the endpoint being secured. This can allow an attacker to access information and functionality outside of normal granted API permissions.

AuthZ

Quarkus Cache Runtime @CacheResult Context Leakage via Cached Uni
CVE-2023-6393 5.3 - Medium - December 06, 2023

A flaw was found in the Quarkus Cache Runtime. When request processing utilizes a Uni cached using @CacheResult and the cached Uni reuses the initial "completion" context, the processing switches to the cached Uni instead of the request context. This is a problem if the cached Uni context contains sensitive information, and could allow a malicious user to benefit from a POST request returning the response that is meant for another user, gaining access to sensitive data.

Information Disclosure

A flaw was found in Quarkus where HTTP security policies are not sanitizing certain character permutations correctly when accepting requests
CVE-2023-4853 8.1 - High - September 20, 2023

A flaw was found in Quarkus where HTTP security policies are not sanitizing certain character permutations correctly when accepting requests, resulting in incorrect evaluation of permissions. This issue could allow an attacker to bypass the security policy altogether, resulting in unauthorized endpoint access and possibly a denial of service.

Improper Neutralization of Input Leaders