2245197 – (CVE-2023-5675) CVE-2023-5675 quarkus: Authorization flaw in Quarkus RestEasy Reactive and Classic when "quarkus.security.jaxrs.deny-unannotated-endpoints" or "quarkus.security.jaxrs.default-roles-allowed" properties are used.

Bug 2245197 (CVE-2023-5675) - CVE-2023-5675 quarkus: Authorization flaw in Quarkus RestEasy Reactive and Classic when "quarkus.security.jaxrs.deny-unannotated-endpoints" or "quarkus.security.jaxrs.default-roles-allowed" properties are used.

Summary: CVE-2023-5675 quarkus: Authorization flaw in Quarkus RestEasy Reactive and Cl...

Keywords:
Status:	NEW
Alias:	CVE-2023-5675
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	2245198
TreeView+	depends on / blocked

Reported:	2023-10-20 04:37 UTC by Vipul Nair
Modified:	2024-05-03 18:49 UTC (History)
CC List:	75 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:	A flaw was found in Quarkus. When a Quarkus RestEasy Classic or Reactive JAX-RS endpoint has its methods declared in the abstract Java class or customized by Quarkus extensions using the annotation processor, the authorization of these methods will not be enforced if it is enabled by either 'quarkus.security.jaxrs.deny-unannotated-endpoints' or 'quarkus.security.jaxrs.default-roles-allowed' properties.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2024:0494	0	None	None	None	2024-01-25 13:52:00 UTC
Red Hat Product Errata	RHSA-2024:0495	0	None	None	None	2024-01-25 13:52:19 UTC

Description Vipul Nair 2023-10-20 04:37:29 UTC

When a RestEasy Reactive JAX-RS endpoint has its methods with HTTP method annotations declared in the abstract Java class or when its methods without HTTP method annotations are customised by Quarkus extensions to handle JAX-RS GET requests using the annotation processor, then the authorization of these methods will not be enforced if it is enabled by either 'quarkus.security.jaxrs.deny-unannotated-endpoints' or 'quarkus.security.jaxrs.default-roles-allowed' properties

So a combination of 2 factors triggers it: 
* Users enable the security authorization of JAX-RS endpoints with either 'quarkus.security.jaxrs.deny-unannotated-endpoints' or `quarkus.security.jaxrs.default-roles-allowed` properties
* Users declare JAX-RS methods which must be secured with these properties in the Java abstract class which the JAX-RS endpoint class will extend

Comment 6 errata-xmlrpc 2024-01-25 13:51:56 UTC

This issue has been addressed in the following products:

  Red Hat build of Quarkus 2.13.9.SP1

Via RHSA-2024:0494 https://access.redhat.com/errata/RHSA-2024:0494

Comment 7 errata-xmlrpc 2024-01-25 13:52:15 UTC

This issue has been addressed in the following products:

  Red Hat build of Quarkus 3.2.9.SP1

Via RHSA-2024:0495 https://access.redhat.com/errata/RHSA-2024:0495

Note You need to log in before you can comment on or make changes to this bug.

aazores
adupliak
aileenc
anstephe
asoldano
ataylor
avibelli
bbaranow
bgeorges
bmaxwell
brian.stansberry
cdewolf
chazlett
clement.escoffier
cmiranda
dandread
darran.lofthouse
dhanak
dkreling
dosoudil
dsimansk
eaguilar
ebaron
eric.wittmann
fjuma
fmongiar
gmalinko
gsmet
ibek
ivassile
iweiss
janstey
jkang
jmartisk
jnethert
jpallich
jrokos
kingland
kverlaen
lball
lgao
lthon
matzew
max.andersen
mnovotny
mosmerov
msochure
mstefank
msvehla
nwallace
olubyans
pantinor
pcongius
pdelbell
peholase
pgallagh
pierdipi
pjindal
pmackay
probinso
rguimara
rhuss
rruss
rstancel
rsvoboda
saroy
sausingh
sbiarozk
sdouglas
security-response-team
sfroberg
skontopo
smaestri
tom.jenkinson
tqvarnst