Login Sign Up

CVE-2023-5720

7.7 HIGH

📋 TL;DR

This vulnerability in Quarkus allows attackers to access sensitive build system information that remains in artifacts created with the Gradle plugin. The flaw occurs due to improper sanitization of build artifacts, potentially exposing configuration details, credentials, or other sensitive data. Organizations using Quarkus with the Gradle plugin are affected.

💻 Affected Systems

Products:
  • Quarkus
Versions: All versions using the Gradle plugin before the fix
Operating Systems: All platforms running Quarkus
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects Quarkus applications built with the Gradle plugin. Maven builds are not affected.

📦 What is this software?

Quarkus by Quarkus

View all CVEs affecting Quarkus →

Quarkus by Quarkus

View all CVEs affecting Quarkus →

Quarkus by Quarkus

View all CVEs affecting Quarkus →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers gain access to sensitive build credentials, API keys, or configuration secrets that could lead to further system compromise or data breaches.

🟠

Likely Case

Exposure of build configuration details, environment variables, or other non-critical but potentially sensitive information from the build process.

🟢

If Mitigated

Limited exposure of non-sensitive build metadata with no access to production credentials or critical systems.

🌐 Internet-Facing: MEDIUM - Applications exposed to the internet could have build information accessed by external attackers, but this requires the attacker to find and access the vulnerable artifacts.
🏢 Internal Only: LOW - Internal applications have reduced exposure, though insider threats or compromised internal systems could still exploit this vulnerability.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires access to the application artifacts, which could be through web access, file downloads, or other artifact exposure mechanisms.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check Red Hat advisory for specific fixed versions

Vendor Advisory: https://access.redhat.com/security/cve/CVE-2023-5720

Restart Required: Yes

Instructions:

1. Update Quarkus to the patched version specified in Red Hat advisory. 2. Rebuild your application with the updated Quarkus version. 3. Redeploy the application. 4. Restart the application server.

🔧 Temporary Workarounds

Manual artifact sanitization

all

Manually inspect and clean build artifacts before deployment to remove sensitive build information

# Review build artifacts for sensitive information
# Remove or sanitize any files containing build system details

Switch to Maven build system

all

Use Maven instead of Gradle for building Quarkus applications as this vulnerability only affects Gradle plugin

# Convert Gradle build to Maven
# Update CI/CD pipelines to use Maven

🧯 If You Can't Patch

  • Implement strict access controls to limit who can access application artifacts
  • Deploy web application firewall rules to block access to build artifact paths

🔍 How to Verify

Check if Vulnerable:

Check if your Quarkus application was built with Gradle plugin and inspect build artifacts for sensitive information

Check Version:

quarkus --version

Verify Fix Applied:

After updating, rebuild application and verify that build artifacts no longer contain sensitive build system information

📡 Detection & Monitoring

Log Indicators:

  • Unusual access patterns to build artifact files
  • Requests for build-related paths in web logs

Network Indicators:

  • HTTP requests targeting known build artifact paths
  • Unusual file downloads from application endpoints

SIEM Query:

source="web_logs" AND (uri="*build*" OR uri="*gradle*" OR uri="*.gradle*" OR uri="*build-info*")

📊 Metadata

CVE ID: CVE-2023-5720
CVSS v3 Score: 7.7 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
CWE: CWE-526
Published: November 15, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-5720, you might also want to check these:

CVE-2025-28381 7.5

OpenC3 COSMOS versions before 6.0.2 expose service credentials as environment variables in all conta...

Same vulnerability type (CWE-526)
CVE-2023-43029 6.8

IBM Storage Virtualize vSphere Remote Plug-in versions 1.0 and 1.1 expose sensitive credential infor...

Same vulnerability type (CWE-526)
CVE-2025-36017 6.5

IBM Controller and Cognos Controller versions store sensitive information unencrypted in environment...

Same vulnerability type (CWE-526)