Quarkus: authorization flaw in quarkus resteasy reactive and classic when "quarkus.security.jaxrs.deny-unannotated-endpoints" or "quarkus.security.jaxrs.default-roles-allowed" properties are used.
CVE-2023-5675
6.5MEDIUM
Key Information:
- Vendor
- Red Hat
- Status
- Vendor
- CVE Published:
- 25 April 2024
Summary
A flaw was found in Quarkus. When a Quarkus RestEasy Classic or Reactive JAX-RS endpoint has its methods declared in the abstract Java class or customized by Quarkus extensions using the annotation processor, the authorization of these methods will not be enforced if it is enabled by either 'quarkus.security.jaxrs.deny-unannotated-endpoints' or 'quarkus.security.jaxrs.default-roles-allowed' properties.
Affected Version(s)
Red Hat build of Quarkus 2.13.9.Final 2.13.9.Final-redhat-00003
Red Hat build of Quarkus 2.13.9.Final 2.13.9.Final-redhat-00003
Red Hat build of Quarkus 3.2.9.Final 3.2.9.Final-redhat-00003
References
CVSS V3.1
Score:
6.5
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged
Timeline
Vulnerability published
Collectors
NVD DatabaseMitre Database
Credit
This issue was discovered by Michal Vavřík (Red Hat).