Quarkus: json payload getting processed prior to security checks when rest resources are used with annotations.
CVE-2023-6267

9.8CRITICAL

Key Information:

Vendor
Red Hat
Status
Red Hat Build Of Quarkus 2.13.9.final
Red Hat Build Of Quarkus 3.2.9.final
Red Hat Build Of Optaplanner 8
Red Hat Integration Camel K
Vendor
CVE Published:
25 January 2024

Summary

A vulnerability exists within the JSON payload processing in Red Hat's REST resources. This flaw arises when annotation-based security is employed. During the processing of the JSON body prior to the evaluation and application of security constraints, the system becomes susceptible to attacks. This issue does not occur with configuration-based security, which ensures that security measures are implemented before the JSON data is deserialized. Such a discrepancy poses a significant risk to the integrity of data handled by affected products.

Affected Version(s)

Red Hat build of Quarkus 2.13.9.Final 2.13.9.Final-redhat-00003

Red Hat build of Quarkus 3.2.9.Final 3.2.9.Final-redhat-00003

References

https://access.redhat.com/errata/RHSA-2024:0494
vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2024:0495
vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/security/cve/CVE-2023-6267
vdb-entryx_refsource_REDHAT

CVSS V3.1

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Collectors

NVD DatabaseMitre Database
.