Headline
GHSA-xfv5-jqgp-vqhj: Quarkus Cache Runtime exposes sensitive information to an unauthorized actor
A flaw was found in the Quarkus Cache Runtime. When request processing utilizes a Uni cached using @CacheResult and the cached Uni reuses the initial “completion” context, the processing switches to the cached Uni instead of the request context. This is a problem if the cached Uni context contains sensitive information, and could allow a malicious user to benefit from a POST request returning the response that is meant for another user, gaining access to sensitive data.
Skip to content
Actions
Automate any workflow
Packages
Host and manage packages
Security
Find and fix vulnerabilities
Codespaces
Instant dev environments
Copilot
Write better code with AI
Code review
Manage code changes
Issues
Plan and track work
Discussions
Collaborate outside of code
GitHub Sponsors
Fund open source developers
* The ReadME Project
GitHub community articles
- Pricing
- GitHub Advisory Database
- GitHub Reviewed
- CVE-2023-6393
Quarkus Cache Runtime exposes sensitive information to an unauthorized actor
Moderate severity GitHub Reviewed Published Dec 6, 2023 to the GitHub Advisory Database • Updated Dec 6, 2023
Package
maven io.quarkus:quarkus-cache (Maven)
Affected versions
>= 3.3.0.CR1, < 3.5.2
>= 3.2.0.CR1, < 3.2.9.Final
Patched versions
3.5.2
3.2.9.Final
Description
Published to the GitHub Advisory Database
Dec 6, 2023
Related news
A flaw was found in the Quarkus Cache Runtime. When request processing utilizes a Uni cached using @CacheResult and the cached Uni reuses the initial "completion" context, the processing switches to the cached Uni instead of the request context. This is a problem if the cached Uni context contains sensitive information, and could allow a malicious user to benefit from a POST request returning the response that is meant for another user, gaining access to sensitive data.