Quarkus is a Java framework for building cloud-native applications. Prior to versions 3.37.0, 3.36.3, 3.33.2.1, 3.33.3, 3.27.4.1, 3.27.5, and 3.20.6.2, Quarkus HTTP path-based authorization policies can be bypassed using encoded semicolons (%3B) to smuggle matrix parameters past the security layer, and using encoded slashes (%2F) or backslashes (%5C) to access protected static resources. This is a distinct issue from CVE-2026-39852, which addressed only literal semicolon stripping. Versions 3.37.0, 3.36.3, 3.33.2.1, 3.33.3, 3.27.4.1, 3.27.5, and 3.20.6.2 contain a patch.
oryginał ENCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NQuarkus
APPQuarkus< 3.20.6.23.21.0 – 3.27.4.1 (bez)3.28.0 – 3.33.2.1 (bez)3.34.0 – 3.36.3 (bez)
Powiązane podatności
Quarkus WebAuthn: pominięcie uwierzytelnienia przez domyślne endpointy REST
A vulnerability was found in quarkus. This security flaw happens in Dev UI Config Editor which is vulnerable t...
It was found that Quarkus 2.10.x does not terminate HTTP requests header context which may lead to unpredictab...
Apache Maven will follow repositories that are defined in a dependency’s Project Object Model (pom) which may ...
Quarkus is a Java framework for building cloud-native applications. In versions prior to 3.20.6.1, 3.27.3.1, 3...