CVE-2023-5675

Published: Apr 25, 2024Modified: Nov 21, 2024

6.5

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Exploitability: 3.9 / Impact: 2.5

Source: secalert@redhat.com (Secondary)

Description

A flaw was found in Quarkus. When a Quarkus RestEasy Classic or Reactive JAX-RS endpoint has its methods declared in the abstract Java class or customized by Quarkus extensions using the annotation processor, the authorization of these methods will not be enforced if it is enabled by either 'quarkus.security.jaxrs.deny-unannotated-endpoints' or 'quarkus.security.jaxrs.default-roles-allowed' properties.

Related CWEs

Improper Authorization

The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.

References (8)

https://access.redhat.com/errata/RHSA-2024:0494

Source: secalert@redhat.com

https://access.redhat.com/errata/RHSA-2024:0495

Source: secalert@redhat.com

https://access.redhat.com/security/cve/CVE-2023-5675

Source: secalert@redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=2245197

Source: secalert@redhat.com

https://access.redhat.com/errata/RHSA-2024:0494

Source: af854a3a-2127-422b-91ae-364da2661108

https://access.redhat.com/errata/RHSA-2024:0495

Source: af854a3a-2127-422b-91ae-364da2661108

https://access.redhat.com/security/cve/CVE-2023-5675

Source: af854a3a-2127-422b-91ae-364da2661108

https://bugzilla.redhat.com/show_bug.cgi?id=2245197

Source: af854a3a-2127-422b-91ae-364da2661108

Timeline

No history available yet.