CVE-2023-5675

Description

A flaw was found in Quarkus. When a Quarkus RestEasy Classic or Reactive JAX-RS endpoint has its methods declared in the abstract Java class or customized by Quarkus extensions using the annotation processor, the authorization of these methods will not be enforced if it is enabled by either 'quarkus.security.jaxrs.deny-unannotated-endpoints' or 'quarkus.security.jaxrs.default-roles-allowed' properties.

Reserved 2023-10-20 | Published 2024-04-25 | Updated 2024-11-24 | Assigner redhat

Problem types

Improper Authorization

Product status

Default status
unaffected

3.2.0 before 3.2.10.Final
affected

3.6.0 before 3.6.9
affected

3.7.0 before 3.7.1
affected

3.8.0 before 3.8.*
unaffected

Default status
affected

2.13.9.Final-redhat-00003 before *
unaffected

Default status
affected

2.13.9.Final-redhat-00003 before *
unaffected

Default status
affected

3.2.9.Final-redhat-00003 before *
unaffected

Default status
affected

3.2.9.Final-redhat-00003 before *
unaffected

Default status
unknown

Default status
unknown

Default status
unknown

Default status
unknown

Default status
unknown

Default status
unknown

Default status
unknown

Default status
unknown

Default status
unknown

Default status
unknown

Timeline

2023-10-16:	Reported to Red Hat.
2024-01-24:	Made public.

Credits

This issue was discovered by Michal Vavřík (Red Hat).

References

access.redhat.com/errata/RHSA-2024:0494 (RHSA-2024:0494) vendor-advisory

access.redhat.com/errata/RHSA-2024:0495 (RHSA-2024:0495) vendor-advisory

access.redhat.com/security/cve/CVE-2023-5675 vdb-entry

bugzilla.redhat.com/show_bug.cgi?id=2245197 (RHBZ#2245197) issue-tracking

cve.org (CVE-2023-5675)

nvd.nist.gov (CVE-2023-5675)

Download JSON