Quarkus: authorization flaw in quarkus resteasy reactive and classic when "quarkus.security.jaxrs.deny-unannotated-endpoints" or "quarkus.security.jaxrs.default-roles-allowed" properties are used.
CVE-2023-5675
6.5MEDIUM
Key Information
- Vendor
- Red Hat
- Status
- Red Hat Build Of Quarkus 2.13.9.final
- Red Hat Build Of Quarkus 3.2.9.final
- A-MQ Clients 2
- Cryostat 2
- Vendor
- CVE Published:
- 25 April 2024
Summary
A flaw was found in Quarkus. When a Quarkus RestEasy Classic or Reactive JAX-RS endpoint has its methods declared in the abstract Java class or customized by Quarkus extensions using the annotation processor, the authorization of these methods will not be enforced if it is enabled by either 'quarkus.security.jaxrs.deny-unannotated-endpoints' or 'quarkus.security.jaxrs.default-roles-allowed' properties.
Affected Version(s)
Red Hat build of Quarkus 2.13.9.Final <= 2.13.9.Final-redhat-00003
Red Hat build of Quarkus 2.13.9.Final <= 2.13.9.Final-redhat-00003
Red Hat build of Quarkus 3.2.9.Final <= 3.2.9.Final-redhat-00003
CVSS V3.1
Score:
6.5
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged
Timeline
Risk change from: null to: 6.5 - (MEDIUM)
Vulnerability published.
Reported to Red Hat.
Collectors
NVD DatabaseMitre Database
Credit
This issue was discovered by Michal Vavřík (Red Hat).