github - ghsa-8j3x-w35r-rw4r

ghsa-8j3x-w35r-rw4r

Vulnerability from github

Published

2024-01-25 21:32

Modified

2024-02-17 12:30

Severity

8.6 (High) - CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H

Summary

Quarkus Improper Handling of Insufficient Permissions or Privileges and Improper Handling of Exceptional Conditions vulnerability

Details

A flaw was found in the json payload. If annotation based security is used to secure a REST resource, the JSON body that the resource may consume is being processed (deserialized) prior to the security constraints being evaluated and applied. This does not happen with configuration based security.

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "io.quarkus.resteasy.reactive:resteasy-reactive"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.13.9.Final"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "io.quarkus.resteasy.reactive:resteasy-reactive"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.0.0.Final"
            },
            {
              "fixed": "3.2.9.Final"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-6267"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-280",
      "CWE-755"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-01-31T22:38:58Z",
    "nvd_published_at": "2024-01-25T19:15:08Z",
    "severity": "HIGH"
  },
  "details": "A flaw was found in the json payload. If annotation based security is used to secure a REST resource, the JSON body that the resource may consume is being processed (deserialized) prior to the security constraints being evaluated and applied. This does not happen with configuration based security.",
  "id": "GHSA-8j3x-w35r-rw4r",
  "modified": "2024-02-17T12:30:26Z",
  "published": "2024-01-25T21:32:14Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6267"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2024:0494"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2024:0495"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2023-6267"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2251155"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/quarkusio/quarkus"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Quarkus Improper Handling of Insufficient Permissions or Privileges and Improper Handling of Exceptional Conditions vulnerability"
}

cve-2023-6267

Vulnerability from cvelistv5

Published

2024-01-25 18:12

Modified

2024-09-16 17:04

Severity

8.6 (High) - cvssV3_1 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H

Summary

Quarkus: json payload getting processed prior to security checks when rest resources are used with annotations.

References

URL	Tags
https://access.redhat.com/errata/RHSA-2024:0494	vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2024:0495	vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/security/cve/CVE-2023-6267	vdb-entry, x_refsource_REDHAT
https://bugzilla.redhat.com/show_bug.cgi?id=2251155	issue-tracking, x_refsource_REDHAT

Impacted products

Vendor	Product
Red Hat	Red Hat build of Quarkus 2.13.9.Final
Red Hat	Red Hat build of Quarkus 3.2.9.Final
Red Hat	Red Hat build of OptaPlanner 8
Red Hat	Red Hat Integration Camel K
Red Hat	Red Hat Integration Camel Quarkus
Red Hat	Red Hat JBoss Fuse 7

Show details on NVD website