CVE-2023-2974: quarkus-core vulnerable to client driven TLS cipher downgrading
(updated )
A vulnerability was found in quarkus-core. This vulnerability occurs because the TLS protocol configured with quarkus.http.ssl.protocols is not enforced, and the client can force the selection of the weaker supported TLS protocol.
References
- access.redhat.com/errata/RHSA-2023:3809
- access.redhat.com/security/cve/CVE-2023-2974
- bugzilla.redhat.com/show_bug.cgi?id=2211026
- github.com/advisories/GHSA-3fhx-3vvg-2j84
- github.com/quarkusio/quarkus/commit/468397ae53a8d6aae933d0d406f94965e97d1935
- github.com/quarkusio/quarkus/pull/34469
- nvd.nist.gov/vuln/detail/CVE-2023-2974
Code Behaviors & Features
Detect and mitigate CVE-2023-2974 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →