Fluid Attacks Database

Description

Quarkus: authorization flaw in quarkus resteasy reactive and classic A flaw was found in Quarkus. When a Quarkus RestEasy Classic or Reactive JAX-RS endpoint has its methods declared in the abstract Java class or customized by Quarkus extensions using the annotation processor, the authorization of these methods will not be enforced if it is enabled by either 'quarkus.security.jaxrs.deny-unannotated-endpoints' or 'quarkus.security.jaxrs.default-roles-allowed' properties.

While backports of this fix exist in versions 3.6.9 and 3.7.1 users of older versions are encouraged to update to the 3.8.x LTS branch.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
maven	io.quarkus:quarkus-resteasy-reactive-common-deployment	>=0 <3.2.10.final \|\| >=3.3.0 <3.6.9 \|\| >=3.7.0 <3.7.1	3.2.10.final, 3.6.9, 3.7.1
maven	io.quarkus:quarkus-resteasy-reactive-common	>=0 <3.2.10.final \|\| >=3.3.0 <3.6.9 \|\| >=3.7.0 <3.7.1	3.2.10.final, 3.6.9, 3.7.1

Aliases

1. CVE-2023-56752. NVD-2023-56753. OSV-2023-56754. GCVE-2023-56755. access.redhat.com6. access.redhat.com7. ACCESS-CVE-2023-5675

References

1. https://github.com/quarkusio/quarkus/commit/b7dd69a3012a872f2846d73072ff232e07da74dd2. https://github.com/quarkusio/quarkus/commit/bf2ef6c504b989f74ceb5947d823b6ab208f8b6e3. https://github.com/quarkusio/quarkus/commit/c026b1cf6f2e07cc50b65c824d922319248d93414. https://github.com/quarkusio/quarkus/commit/d802748128cd1932279b7c334f3792d481814ef55. https://bugzilla.redhat.com/show_bug.cgi?id=2245197

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.