Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS0yNXc0LWhmcWctNHI1Ms4AA7T0
Quarkus: authorization flaw in quarkus resteasy reactive and classic
A flaw was found in Quarkus. When a Quarkus RestEasy Classic or Reactive JAX-RS endpoint has its methods declared in the abstract Java class or customized by Quarkus extensions using the annotation processor, the authorization of these methods will not be enforced if it is enabled by either 'quarkus.security.jaxrs.deny-unannotated-endpoints' or 'quarkus.security.jaxrs.default-roles-allowed' properties.
While backports of this fix exist in versions 3.6.9 and 3.7.1 users of older versions are encouraged to update to the 3.8.x LTS branch.
Permalink: https://github.com/advisories/GHSA-25w4-hfqg-4r52JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS0yNXc0LWhmcWctNHI1Ms4AA7T0
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 9 months ago
Updated: 6 months ago
CVSS Score: 6.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
EPSS Percentage: 0.00045
EPSS Percentile: 0.17541
Identifiers: GHSA-25w4-hfqg-4r52, CVE-2023-5675
References:
- https://nvd.nist.gov/vuln/detail/CVE-2023-5675
- https://access.redhat.com/errata/RHSA-2024:0494
- https://access.redhat.com/errata/RHSA-2024:0495
- https://access.redhat.com/security/cve/CVE-2023-5675
- https://bugzilla.redhat.com/show_bug.cgi?id=2245197
- https://github.com/quarkusio/quarkus/commit/d802748128cd1932279b7c334f3792d481814ef5
- https://github.com/quarkusio/quarkus/commit/b7dd69a3012a872f2846d73072ff232e07da74dd
- https://github.com/quarkusio/quarkus/commit/bf2ef6c504b989f74ceb5947d823b6ab208f8b6e
- https://github.com/quarkusio/quarkus/commit/c026b1cf6f2e07cc50b65c824d922319248d9341
- https://github.com/advisories/GHSA-25w4-hfqg-4r52
Blast Radius: 13.3
Affected Packages
maven:io.quarkus:quarkus-resteasy-reactive-common
Dependent packages: 13Dependent repositories: 112
Downloads:
Affected Version Ranges: >= 3.7.0, < 3.7.1, >= 3.3.0, < 3.6.9, < 3.2.10.Final
Fixed in: 3.7.1, 3.6.9, 3.2.10.Final
All affected versions: 3.3.0, 3.3.1, 3.3.2, 3.3.3, 3.4.0, 3.4.1, 3.4.2, 3.4.3, 3.5.0, 3.5.1, 3.5.2, 3.5.3, 3.6.0, 3.6.1, 3.6.2, 3.6.3, 3.6.4, 3.6.5, 3.6.6, 3.6.7, 3.6.8, 3.7.0
All unaffected versions: 3.6.9, 3.7.1, 3.7.2, 3.7.3, 3.7.4, 3.8.0, 3.8.1, 3.8.2, 3.8.3, 3.8.4, 3.8.5, 3.8.6, 3.9.0, 3.9.1, 3.9.2, 3.9.3, 3.9.4, 3.9.5, 3.10.0, 3.10.1, 3.10.2, 3.11.0, 3.11.1, 3.11.2, 3.11.3, 3.12.0, 3.12.1, 3.12.2, 3.12.3, 3.13.0, 3.13.1, 3.13.2, 3.13.3, 3.14.0, 3.14.1, 3.14.2, 3.14.3, 3.14.4, 3.15.0, 3.15.1, 3.15.2, 3.15.3
maven:io.quarkus:quarkus-resteasy-reactive-common-deployment
Dependent packages: 11Dependent repositories: 108
Downloads:
Affected Version Ranges: >= 3.7.0, < 3.7.1, >= 3.3.0, < 3.6.9, < 3.2.10.Final
Fixed in: 3.7.1, 3.6.9, 3.2.10.Final
All affected versions: 3.3.0, 3.3.1, 3.3.2, 3.3.3, 3.4.0, 3.4.1, 3.4.2, 3.4.3, 3.5.0, 3.5.1, 3.5.2, 3.5.3, 3.6.0, 3.6.1, 3.6.2, 3.6.3, 3.6.4, 3.6.5, 3.6.6, 3.6.7, 3.6.8, 3.7.0
All unaffected versions: 3.6.9, 3.7.1, 3.7.2, 3.7.3, 3.7.4, 3.8.0, 3.8.1, 3.8.2, 3.8.3, 3.8.4, 3.8.5, 3.8.6, 3.9.0, 3.9.1, 3.9.2, 3.9.3, 3.9.4, 3.9.5, 3.10.0, 3.10.1, 3.10.2, 3.11.0, 3.11.1, 3.11.2, 3.11.3, 3.12.0, 3.12.1, 3.12.2, 3.12.3, 3.13.0, 3.13.1, 3.13.2, 3.13.3, 3.14.0, 3.14.1, 3.14.2, 3.14.3, 3.14.4, 3.15.0, 3.15.1, 3.15.2, 3.15.3