We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.

Please see our statement on Data Privacy.

Crisp.chat (Helpdesk and Chat)

Ok

THREATINT
PUBLISHED

CVE-2023-5675

Quarkus: authorization flaw in quarkus resteasy reactive and classic when "quarkus.security.jaxrs.deny-unannotated-endpoints" or "quarkus.security.jaxrs.default-roles-allowed" properties are used.



Assignerredhat
Reserved2023-10-20
Published2024-04-25
Updated2024-10-22

Description

A flaw was found in Quarkus. When a Quarkus RestEasy Classic or Reactive JAX-RS endpoint has its methods declared in the abstract Java class or customized by Quarkus extensions using the annotation processor, the authorization of these methods will not be enforced if it is enabled by either 'quarkus.security.jaxrs.deny-unannotated-endpoints' or 'quarkus.security.jaxrs.default-roles-allowed' properties.



MEDIUM: 6.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Product status

Default status
unaffected

3.2.0 before 3.2.10.Final
affected

3.6.0 before 3.6.9
affected

3.7.0 before 3.7.1
affected

3.8.0 before 3.8.*
unaffected

Default status
affected

2.13.9.Final-redhat-00003 before *
unaffected

Default status
affected

2.13.9.Final-redhat-00003 before *
unaffected

Default status
affected

3.2.9.Final-redhat-00003 before *
unaffected

Default status
affected

3.2.9.Final-redhat-00003 before *
unaffected

Default status
unknown

Default status
unknown

Default status
unknown

Default status
unknown

Default status
unknown

Default status
unknown

Default status
unknown

Default status
unknown

Default status
unknown

Default status
unknown

Timeline

2023-10-16:Reported to Red Hat.
2024-01-24:Made public.

Credits

This issue was discovered by Michal Vavřík (Red Hat).

References

https://access.redhat.com/errata/RHSA-2024:0494 (RHSA-2024:0494) vendor-advisory

https://access.redhat.com/errata/RHSA-2024:0495 (RHSA-2024:0495) vendor-advisory

https://access.redhat.com/security/cve/CVE-2023-5675 vdb-entry

https://bugzilla.redhat.com/show_bug.cgi?id=2245197 (RHBZ#2245197) issue-tracking

cve.org CVE-2023-5675

nvd.nist.gov CVE-2023-5675

Download JSON

Share this page
https://cve.threatint.com
Subscribe to our newsletter to learn more about our work.