Bug 2245197 (CVE-2023-5675)
Summary: | CVE-2023-5675 quarkus: Authorization flaw in Quarkus RestEasy Reactive and Classic when "quarkus.security.jaxrs.deny-unannotated-endpoints" or "quarkus.security.jaxrs.default-roles-allowed" properties are used. | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Vipul Nair <vinair> |
Component: | vulnerability | Assignee: | Product Security <prodsec-ir-bot> |
Status: | NEW --- | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | aazores, adupliak, aileenc, anstephe, asoldano, ataylor, avibelli, bbaranow, bgeorges, bmaxwell, brian.stansberry, cdewolf, chazlett, clement.escoffier, cmiranda, dandread, darran.lofthouse, dhanak, dkreling, dosoudil, dsimansk, eaguilar, ebaron, eric.wittmann, fjuma, fmongiar, gmalinko, gsmet, ibek, ivassile, iweiss, janstey, jkang, jmartisk, jnethert, jpallich, jrokos, kingland, kverlaen, lball, lgao, lthon, matzew, max.andersen, mnovotny, mosmerov, msochure, mstefank, msvehla, nwallace, olubyans, pantinor, pcongius, pdelbell, peholase, pgallagh, pierdipi, pjindal, pmackay, probinso, rguimara, rhuss, rruss, rstancel, rsvoboda, saroy, sausingh, sbiarozk, security-response-team, sfroberg, skontopo, smaestri, tom.jenkinson, tqvarnst |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: |
A flaw was found in Quarkus. When a Quarkus RestEasy Classic or Reactive JAX-RS endpoint has its methods declared in the abstract Java class or customized by Quarkus extensions using the annotation processor, the authorization of these methods will not be enforced if it is enabled by either 'quarkus.security.jaxrs.deny-unannotated-endpoints' or 'quarkus.security.jaxrs.default-roles-allowed' properties.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | Type: | --- | |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 2245198 |
Description
Vipul Nair
2023-10-20 04:37:29 UTC
This issue has been addressed in the following products: Red Hat build of Quarkus 2.13.9.SP1 Via RHSA-2024:0494 https://access.redhat.com/errata/RHSA-2024:0494 This issue has been addressed in the following products: Red Hat build of Quarkus 3.2.9.SP1 Via RHSA-2024:0495 https://access.redhat.com/errata/RHSA-2024:0495 |