Description: Security checks for standard security annotations on the RESTEasy Reactive inherited endpoints are not performed eagerly, but are performed by standard security interceptors instead. Apart from functional differences it also means security checks for inherited endpoints are not performed eagerly. As long as you know any POST / PUT / PATCH request paths, you can send unauthenticated HTTP requests with illegal payload and see response status. When you get 500 ... this way you detect endpoints (though there can be other reasons...) Can you significantly raise processing time? You can send valid content which means requests will be stopped after JAX-RS filters. Resulting impact depends on what they do in JAX-RS filters. Affected Quarkus version: 999-SNAPSHOT, 3.8.x. 3.7.x, 3.2.x, 2.13.x Mitigations with affected version: Don't use inherited endpoints (or use HTTP permissions, depending on the scenario) References: https://github.com/quarkusio/quarkus/pull/38832 https://github.com/quarkusio/quarkus/issues/38754
This issue has been addressed in the following products: Red Hat build of Quarkus 3.2.11 Via RHSA-2024:1662 https://access.redhat.com/errata/RHSA-2024:1662