Bug 2251155 (CVE-2023-6267)
Summary: | CVE-2023-6267 quarkus: json payload getting processed prior to security checks when rest resources are used with annotations. | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Rohit Keshri <rkeshri> |
Component: | vulnerability | Assignee: | Product Security <prodsec-ir-bot> |
Status: | NEW --- | QA Contact: | |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | unspecified | CC: | adupliak, aileenc, anstephe, avibelli, bgeorges, chazlett, clement.escoffier, cmiranda, dandread, dkreling, fmongiar, gmalinko, gsmet, janstey, jmartisk, jnethert, lthon, marcel, max.andersen, mnovotny, mosmerov, olubyans, pcongius, pdelbell, peholase, pgallagh, pjindal, probinso, rguimara, rruss, rsvoboda, saroy, sausingh, sbiarozk, sdouglas, security-response-team, tqvarnst |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: |
A flaw was found in the json payload. If annotation based security is used to secure a REST resource, the JSON body that the resource may consume is being processed (deserialized) prior to the security constraints being evaluated and applied. This does not happen with configuration based security.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | Type: | --- | |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 2251153 |
Description
Rohit Keshri
2023-11-23 06:34:38 UTC
This issue has been addressed in the following products: Red Hat build of Quarkus 2.13.9.SP1 Via RHSA-2024:0494 https://access.redhat.com/errata/RHSA-2024:0494 This issue has been addressed in the following products: Red Hat build of Quarkus 3.2.9.SP1 Via RHSA-2024:0495 https://access.redhat.com/errata/RHSA-2024:0495 It would be helpful if you could state in your documentation that this "3.2.9.SP1" version actually corresponds to 3.2.9.Final-redhat-00004 in the Maven repository. It was a guessing game. The https://access.redhat.com/documentation/en-us/red_hat_build_of_quarkus/quarkus-3.2/guide/1fb66449-7cb8-4328-8bb6-f11921699056 guide was updated on January 25th (the same day as this entry) mentioning that version. Also, the 'lastUpdated' timestamp in https://maven.repository.redhat.com/ga/com/redhat/quarkus/platform/quarkus-bom/maven-metadata.xml confirmed this. It's January 25th as well. This comment was flagged a spam, view the edit history to see the original text if required. |