CVE-2022-4147: Quarkus CORS filter allows simple GET and POST requests with an invalid Origin to proceed

December 6, 2022

Quarkus CORS filter allows simple GET and POST requests with invalid Origin to proceed. Simple GET or POST requests made with XMLHttpRequest are the ones which have no event listeners registered on the object returned by the XMLHttpRequest upload property and have no ReadableStream object used in the request.

References

access.redhat.com/security/cve/CVE-2022-4147
bugzilla.redhat.com/show_bug.cgi?id=2148867
github.com/advisories/GHSA-9895-g6x5-xwcp
nvd.nist.gov/vuln/detail/CVE-2022-4147
quarkus.io/blog/quarkus-2-14-2-final-released/

Detect and mitigate CVE-2022-4147 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →