Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2023-5675

Опубликовано: 24 янв. 2024
Источник: redhat
CVSS3: 6.5
EPSS Низкий

Описание

A flaw was found in Quarkus. When a Quarkus RestEasy Classic or Reactive JAX-RS endpoint has its methods declared in the abstract Java class or customized by Quarkus extensions using the annotation processor, the authorization of these methods will not be enforced if it is enabled by either 'quarkus.security.jaxrs.deny-unannotated-endpoints' or 'quarkus.security.jaxrs.default-roles-allowed' properties.

Меры по смягчению последствий

Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
A-MQ Clients 2quarkus-resteasy-reactiveFix deferred
Cryostat 2quarkus-resteasy-reactiveFix deferred
OpenShift Serverlessquarkus-resteasy-reactiveFix deferred
Red Hat build of Apicurio Registry 2quarkus-resteasy-reactiveFix deferred
Red Hat build of OptaPlanner 8quarkus-resteasy-reactiveFix deferred
Red Hat Fuse 7quarkus-resteasy-reactiveFix deferred
Red Hat Integration Camel K 1quarkus-resteasy-reactiveFix deferred
Red Hat Integration Camel Quarkus 2quarkus-resteasy-reactiveFix deferred
Red Hat JBoss Enterprise Application Platform 8quarkus-resteasy-reactiveFix deferred
Red Hat Process Automation 7quarkus-resteasy-reactiveFix deferred

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate
Дефект:
CWE-285
https://bugzilla.redhat.com/show_bug.cgi?id=2245197quarkus: Authorization flaw in Quarkus RestEasy Reactive and Classic when "quarkus.security.jaxrs.deny-unannotated-endpoints" or "quarkus.security.jaxrs.default-roles-allowed" properties are used.

EPSS

Процентиль: 28%
0.00099
Низкий

6.5 Medium

CVSS3

Связанные уязвимости

nvd логотип

CVE-2023-5675

CVSS3: 6.5
nvd
больше 1 года назад

A flaw was found in Quarkus. When a Quarkus RestEasy Classic or Reactive JAX-RS endpoint has its methods declared in the abstract Java class or customized by Quarkus extensions using the annotation processor, the authorization of these methods will not be enforced if it is enabled by either 'quarkus.security.jaxrs.deny-unannotated-endpoints' or 'quarkus.security.jaxrs.default-roles-allowed' properties.

github логотип

GHSA-25w4-hfqg-4r52

CVSS3: 6.5
github
больше 1 года назад

Quarkus: authorization flaw in quarkus resteasy reactive and classic

EPSS

Процентиль: 28%
0.00099
Низкий

6.5 Medium

CVSS3