CVE-2023-6267

Quarkus: json payload getting processed prior to security checks when rest resources are used with annotations.

CVSS 8.6 HIGHEPSS 0.7%CWE-755

Vexday Risk Score

21Bajo

Decisión SSVC (CISA)

Track

Sin señal de explotación → monitorear

CVSS 8.6EPSS 0.7%KEV nãoPoC —Patch referenciado

Ciclo de vida

25 ene 2024Publicada en NVD

Recomendación: Monitorear — sin señal de explotación por ahora.

A flaw was found in the json payload. If annotation based security is used to secure a REST resource, the JSON body that the resource may consume is being processed (deserialized) prior to the security constraints being evaluated and applied. This does not happen with configuration based security.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H

Productos afectados

Red Hat · Red Hat build of OptaPlanner 8 Red Hat · Red Hat build of Quarkus 2.13.9.Final Red Hat · Red Hat build of Quarkus 3.2.9.Final Red Hat · Red Hat Fuse 7 Red Hat · Red Hat Integration Camel K 1 Red Hat · Red Hat Integration Camel Quarkus 2

¿Quieres saber si tu infraestructura está expuesta a esto?

Hablar con TrueHacking →

Referencias

https://access.redhat.com/errata/RHSA-2024:0494 https://access.redhat.com/errata/RHSA-2024:0495 https://access.redhat.com/security/cve/CVE-2023-6267 https://bugzilla.redhat.com/show_bug.cgi?id=2251155