CVE-2023-6267

Quarkus: json payload getting processed prior to security checks when rest resources are used with annotations.

CVSS 8.6 HIGHEPSS 0.7%CWE-755

Vexday Risk Score

21Low

SSVC decision (CISA)

Track

No exploitation signal → monitor

CVSS 8.6EPSS 0.7%KEV nãoPoC —Patch referenciado

Lifecycle

25 Jan 2024Published on NVD

Recommendation: Monitor — no exploitation signal at the moment.

A flaw was found in the json payload. If annotation based security is used to secure a REST resource, the JSON body that the resource may consume is being processed (deserialized) prior to the security constraints being evaluated and applied. This does not happen with configuration based security.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H

Affected products

Red Hat · Red Hat build of OptaPlanner 8 Red Hat · Red Hat build of Quarkus 2.13.9.Final Red Hat · Red Hat build of Quarkus 3.2.9.Final Red Hat · Red Hat Fuse 7 Red Hat · Red Hat Integration Camel K 1 Red Hat · Red Hat Integration Camel Quarkus 2

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://access.redhat.com/errata/RHSA-2024:0494 https://access.redhat.com/errata/RHSA-2024:0495 https://access.redhat.com/security/cve/CVE-2023-6267 https://bugzilla.redhat.com/show_bug.cgi?id=2251155