CVE-2023-5675 | THREATINT

Assigner	redhat
Reserved	2023-10-20
Published	2024-04-25
Updated	2024-10-22

Description

A flaw was found in Quarkus. When a Quarkus RestEasy Classic or Reactive JAX-RS endpoint has its methods declared in the abstract Java class or customized by Quarkus extensions using the annotation processor, the authorization of these methods will not be enforced if it is enabled by either 'quarkus.security.jaxrs.deny-unannotated-endpoints' or 'quarkus.security.jaxrs.default-roles-allowed' properties.

MEDIUM: 6.5

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Product status

Default status

unaffected

3.2.0 before 3.2.10.Final

affected

3.6.0 before 3.6.9

affected

3.7.0 before 3.7.1

affected

3.8.0 before 3.8.*

unaffected

Default status

affected

2.13.9.Final-redhat-00003 before *

unaffected

Default status

affected

2.13.9.Final-redhat-00003 before *

unaffected

Default status

affected

3.2.9.Final-redhat-00003 before *

unaffected

Default status

affected

3.2.9.Final-redhat-00003 before *

unaffected

Default status

unknown

Default status

unknown

Default status

unknown

Default status

unknown

Default status

unknown

Default status

unknown

Default status

unknown

Default status

unknown

Default status

unknown

Default status

unknown

Timeline

2023-10-16:	Reported to Red Hat.
2024-01-24:	Made public.

Credits

This issue was discovered by Michal Vavřík (Red Hat).

References

https://access.redhat.com/errata/RHSA-2024:0494 (RHSA-2024:0494) vendor-advisory

https://access.redhat.com/errata/RHSA-2024:0495 (RHSA-2024:0495) vendor-advisory

https://access.redhat.com/security/cve/CVE-2023-5675 vdb-entry

https://bugzilla.redhat.com/show_bug.cgi?id=2245197 (RHBZ#2245197) issue-tracking

cve.org CVE-2023-5675

nvd.nist.gov CVE-2023-5675

Download JSON