Red Hat Quarkus REST Request Parameter Leakage Vulnerability

A vulnerability exists in Red Hat Quarkus REST that allows request parameters to leak between concurrent requests. This issue arises when endpoints use field injection without a proper CDI scope, leading to the unintentional sharing of request data between users. As a result, attackers could manipulate request information, impersonate users, or access sensitive data. The vulnerability affects all versions of the Red Hat build of Quarkus prior to 3.15.3.SP1, as well as versions of Red Hat Build of Apache Camel 4.8 for Quarkus 3.15 prior to 3.15.3.SP1.

Impact

The vulnerability can lead to cross-request data leakage, compromising the confidentiality and integrity of user interactions. In a concurrent environment, sensitive request data such as authentication headers, cookies, or form parameters can be inadvertently exposed to other users, violating HTTP request isolation principles. This could result in session hijacking, unauthorized access, or privilege escalation.

Reproduction

To reproduce this vulnerability, create a Quarkus REST endpoint that uses field injection for request parameters without applying a CDI scope. Deploy this endpoint and send multiple concurrent requests. The shared instance of the endpoint class will allow request parameters from one request to leak into another, demonstrating the cross-request data leakage.

Remediation

Users can upgrade to Red Hat build of Quarkus 3.15.3.SP1 or Red Hat Build of Apache Camel 4.8 for Quarkus 3.15.3.SP1, both of which address this vulnerability.