CVE-2022-4147: 
Java vulnerability analysis and mitigation

A vulnerability was discovered in Quarkus CORS (Cross-Origin Resource Sharing) filter that allows simple GET and POST requests with invalid Origin to proceed. The vulnerability, identified as CVE-2022-4147, specifically affects requests made with XMLHttpRequest that have no event listeners registered on the object returned by the XMLHttpRequest upload property and have no ReadableStream object used in the request (NVD, Red Hat Advisory).

The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (HIGH) with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H. This indicates that the vulnerability is network-accessible, requires high attack complexity, needs no privileges, requires user interaction, and can potentially result in high impacts to confidentiality, integrity, and availability (NVD).

The vulnerability affects multiple versions of Quarkus, including versions from 2.0 up to (excluding) 2.13.5 and versions from 2.14.0 up to (excluding) 2.14.2. The security misconfiguration in the CORS filter could potentially lead to unauthorized access and falls under the OWASP A05:2021 Security Misconfiguration category (Red Hat Advisory).

Red Hat has released security updates to address this vulnerability. Users should upgrade to Quarkus version 2.13.5 or 2.14.2 or later versions which contain the necessary security fixes. The fixes were released as part of Red Hat build of Quarkus 2.13.5 and Quarkus Platform 2.7.6.SP3 updates (Red Hat Advisory).