Developers have been warned that the popular Quarkus framework is affected by a critical vulnerability that could lead to remote code execution.
Available since 2019, Quarkus is an open source Kubernetes-native Java framework designed for GraalVM and HotSpot virtual machines.
Tracked as CVE-2022-4116 (CVSS score of 9.8), the security defect was identified in the Dev UI Config Editor and can be exploited via drive-by localhost attacks.
“Exploiting the vulnerability isn’t difficult and can be done by a malicious actor without any privileges,” Contrast Security researcher Joseph Beeton, who discovered the bug, explains.
Because localhost-bound services are, in fact, accessible from the outside, an attacker can create a malicious website to target developers who are using vulnerable instances of Quarkus, the security researcher says.
– Nov 28, 2022
Both releases fix CVE-2022-4116 which has been rated as severity high.
This fix also hardens CORS handling, including changing 200 OK to 403 FORBIDDEN when a CORS request is rejected because of an invalid origin.
It is highly recommended to upgrade to these new versions:
- 2.14.2.Final contains this fix and several others
- 2.13.5.Final targets the 2.13 branch and contains this fix only