CVE-2022-2466 – io.quarkus:quarkus-core-parent

Package

Manager: maven
Name: io.quarkus:quarkus-core-parent
Vulnerable Version: >=2.10.0 <2.10.4

Severity

Level: Critical

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.12221 pctl0.936

Details

Quarkus does not terminate HTTP requests header context Quarkus is a Cloud Native, (Linux) Container First framework for writing Java applications. It was found that Quarkus 2.10.x does not terminate HTTP requests header context which may lead to unpredictable behavior. This issue was fixed in version 2.10.4Final.

Metadata

Created: 2022-09-01T00:00:23Z
Modified: 2022-09-16T17:41:19Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/09/GHSA-mwhw-6p27-4crc/GHSA-mwhw-6p27-4crc.json
CWE IDs: ["CWE-444"]
Alternative ID: GHSA-mwhw-6p27-4crc
Finding: F110
Auto approve: 1