Ecosyste.ms: Advisories

Security Advisories: GSA_kwCzR0hTQS0yNXc0LWhmcWctNHI1Ms4AA7T0

Quarkus: authorization flaw in quarkus resteasy reactive and classic

A flaw was found in Quarkus. When a Quarkus RestEasy Classic or Reactive JAX-RS endpoint has its methods declared in the abstract Java class or customized by Quarkus extensions using the annotation processor, the authorization of these methods will not be enforced if it is enabled by either 'quarkus.security.jaxrs.deny-unannotated-endpoints' or 'quarkus.security.jaxrs.default-roles-allowed' properties.

Permalink: https://github.com/advisories/GHSA-25w4-hfqg-4r52
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS0yNXc0LWhmcWctNHI1Ms4AA7T0
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 11 days ago
Updated: 11 days ago

CVSS Score: 6.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Identifiers: GHSA-25w4-hfqg-4r52, CVE-2023-5675
References:

• https://nvd.nist.gov/vuln/detail/CVE-2023-5675
• https://access.redhat.com/errata/RHSA-2024:0494
• https://access.redhat.com/errata/RHSA-2024:0495
• https://access.redhat.com/security/cve/CVE-2023-5675
• https://bugzilla.redhat.com/show_bug.cgi?id=2245197
• https://github.com/quarkusio/quarkus/commit/d802748128cd1932279b7c334f3792d481814ef5
• https://github.com/advisories/GHSA-25w4-hfqg-4r52

Repository: https://github.com/quarkusio/quarkus
Blast Radius: 13.3

Affected Packages