CVE-2023-5675 – io.quarkus:quarkus-resteasy-reactive-common-deployment

Package

Manager: maven
Name: io.quarkus:quarkus-resteasy-reactive-common-deployment
Vulnerable Version: >=0 <3.2.10.final || >=3.3.0 <3.6.9 || >=3.7.0 <3.7.1

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00073 pctl0.22728

Details

Quarkus: authorization flaw in quarkus resteasy reactive and classic A flaw was found in Quarkus. When a Quarkus RestEasy Classic or Reactive JAX-RS endpoint has its methods declared in the abstract Java class or customized by Quarkus extensions using the annotation processor, the authorization of these methods will not be enforced if it is enabled by either 'quarkus.security.jaxrs.deny-unannotated-endpoints' or 'quarkus.security.jaxrs.default-roles-allowed' properties. While backports of this fix exist in versions 3.6.9 and 3.7.1 users of older versions are encouraged to update to the 3.8.x LTS branch.

Metadata

Created: 2024-04-25T18:30:39Z
Modified: 2024-08-02T15:45:01Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/04/GHSA-25w4-hfqg-4r52/GHSA-25w4-hfqg-4r52.json
CWE IDs: ["CWE-285", "CWE-287"]
Alternative ID: GHSA-25w4-hfqg-4r52
Finding: F039
Auto approve: 1