CVE-2023-5675 | THREATINT

Description

A flaw was found in Quarkus. When a Quarkus RestEasy Classic or Reactive JAX-RS endpoint has its methods declared in the abstract Java class or customized by Quarkus extensions using the annotation processor, the authorization of these methods will not be enforced if it is enabled by either 'quarkus.security.jaxrs.deny-unannotated-endpoints' or 'quarkus.security.jaxrs.default-roles-allowed' properties.

PUBLISHED Reserved 2023-10-20 | Published 2024-04-25 | Updated 2025-11-20 | Assigner redhat

MEDIUM: 6.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Problem types

Improper Authorization

Product status

Default status

unaffected

3.2.0 (maven) before 3.2.10.Final

affected

3.6.0 (maven) before 3.6.9

affected

3.7.0 (maven) before 3.7.1

affected

3.8.0 (maven) before 3.8.*

unaffected

Default status

affected

2.13.9.Final-redhat-00003 (rpm) before *

unaffected

Default status

affected

2.13.9.Final-redhat-00003 (rpm) before *

unaffected

Default status

affected

3.2.9.Final-redhat-00003 (rpm) before *

unaffected

Default status

affected

3.2.9.Final-redhat-00003 (rpm) before *

unaffected

Default status

affected

Default status

affected

Default status

affected

Default status

affected

Default status

affected

Default status

affected

Default status

affected

Default status

affected

Default status

affected

Default status

affected

Timeline

2023-10-16:	Reported to Red Hat.
2024-01-24:	Made public.

Credits

This issue was discovered by Michal Vavřík (Red Hat).

References

access.redhat.com/errata/RHSA-2024:0494 (RHSA-2024:0494) vendor-advisory

access.redhat.com/errata/RHSA-2024:0495 (RHSA-2024:0495) vendor-advisory

access.redhat.com/security/cve/CVE-2023-5675 vdb-entry

bugzilla.redhat.com/show_bug.cgi?id=2245197 (RHBZ#2245197) issue-tracking

access.redhat.com/errata/RHSA-2024:0494 (RHSA-2024:0494) vendor-advisory

access.redhat.com/errata/RHSA-2024:0495 (RHSA-2024:0495) vendor-advisory

access.redhat.com/security/cve/CVE-2023-5675 vdb-entry

bugzilla.redhat.com/show_bug.cgi?id=2245197 (RHBZ#2245197) issue-tracking

cve.org (CVE-2023-5675)

nvd.nist.gov (CVE-2023-5675)

Download JSON

help @ threatint.eu