CVE-2023-6267 – io.quarkus.resteasy.reactive:resteasy-reactive

Package

Manager: maven
Name: io.quarkus.resteasy.reactive:resteasy-reactive
Vulnerable Version: >=0 <2.13.9.final || >=3.0.0.final <3.2.9.final

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00673 pctl0.70505

Details

Quarkus Improper Handling of Insufficient Permissions or Privileges and Improper Handling of Exceptional Conditions vulnerability A flaw was found in the json payload. If annotation based security is used to secure a REST resource, the JSON body that the resource may consume is being processed (deserialized) prior to the security constraints being evaluated and applied. This does not happen with configuration based security.

Metadata

Created: 2024-01-25T21:32:14Z
Modified: 2024-11-25T14:33:44Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/01/GHSA-8j3x-w35r-rw4r/GHSA-8j3x-w35r-rw4r.json
CWE IDs: ["CWE-280", "CWE-502", "CWE-755"]
Alternative ID: GHSA-8j3x-w35r-rw4r
Finding: F096
Auto approve: 1