CVE-2022-4147

HIGH7.5EPSS 0.46%

Quarkus CORS filter allows simple GET and POST requests with an invalid Origin to proceed

發布日:2022/12/6修改日:2024/2/16

描述

Quarkus CORS filter allows simple GET and POST requests with invalid Origin to proceed. Simple GET or POST requests made with XMLHttpRequest are the ones which have no event listeners registered on the object returned by the XMLHttpRequest upload property and have no ReadableStream object used in the request.

受影響套件(1)

Maven/io.quarkus:quarkus-vertx-http>= 2.14.0.CR1, < 2.14.2.Final

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 3.1	HIGH7.5	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

參考連結(5)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2022-4147
PATCHhttps://github.com/quarkusio/quarkus
WEBhttps://access.redhat.com/security/cve/CVE-2022-4147
WEBhttps://bugzilla.redhat.com/show_bug.cgi?id=2148867
WEBhttps://quarkus.io/blog/quarkus-2-14-2-final-released