CVE-2023-5675

MEDIUM

Quarkus < 3.2.10.Final - Improper Authorization in JAX-RS Endpoint Method Handling

Title source: llm
STIX 2.1

Description

A flaw was found in Quarkus. When a Quarkus RestEasy Classic or Reactive JAX-RS endpoint has its methods declared in the abstract Java class or customized by Quarkus extensions using the annotation processor, the authorization of these methods will not be enforced if it is enabled by either 'quarkus.security.jaxrs.deny-unannotated-endpoints' or 'quarkus.security.jaxrs.default-roles-allowed' properties.

References (4)

Core 4
Core References
Issue Tracking issue-tracking x_refsource_redhat
https://bugzilla.redhat.com/show_bug.cgi?id=2245197
Vendor Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2024:0494
Vendor Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2024:0495
Vendor Advisory vdb-entry x_refsource_redhat
https://access.redhat.com/security/cve/CVE-2023-5675

Scores

CVSS v3 6.5
EPSS 0.0013
EPSS Percentile 31.8%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact partial

Details

CWE
CWE-285
Status published
Products (14)
io.quarkus/quarkus-resteasy-reactive-common 0 - 3.2.10.FinalMaven
io.quarkus/quarkus-resteasy-reactive-common-deployment 0 - 3.2.10.FinalMaven
Red Hat/A-MQ Clients 2
Red Hat/Cryostat 2
Red Hat/OpenShift Serverless
Red Hat/Red Hat build of Apicurio Registry 2
Red Hat/Red Hat build of OptaPlanner 8
Red Hat/Red Hat build of Quarkus 2.13.9.Final 2.13.9.Final-redhat-00003
Red Hat/Red Hat build of Quarkus 3.2.9.Final 3.2.9.Final-redhat-00003
Red Hat/Red Hat Fuse 7
... and 4 more
Published Apr 25, 2024
Tracked Since Feb 18, 2026