CVE-2023-6267

Quarkus: json payload getting processed prior to security checks when rest resources are used with annotations.

CVSS 8.6 HIGHEPSS 0.7%CWE-755

Vexday Risk Score

21Baixo

Decisão SSVC (CISA)

Track

Sem sinal de exploração → monitorar

CVSS 8.6EPSS 0.7%KEV nãoPoC —Patch referenciado

Ciclo de vida

25 jan 2024Publicada no NVD

Recomendação: Monitorar — sem sinal de exploração no momento.

A flaw was found in the json payload. If annotation based security is used to secure a REST resource, the JSON body that the resource may consume is being processed (deserialized) prior to the security constraints being evaluated and applied. This does not happen with configuration based security.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H

Produtos afetados

Red Hat · Red Hat build of OptaPlanner 8 Red Hat · Red Hat build of Quarkus 2.13.9.Final Red Hat · Red Hat build of Quarkus 3.2.9.Final Red Hat · Red Hat Fuse 7 Red Hat · Red Hat Integration Camel K 1 Red Hat · Red Hat Integration Camel Quarkus 2

Quer saber se a sua infraestrutura está exposta a isto?

Falar com a TrueHacking →

Referências

https://access.redhat.com/errata/RHSA-2024:0494 https://access.redhat.com/errata/RHSA-2024:0495 https://access.redhat.com/security/cve/CVE-2023-6267 https://bugzilla.redhat.com/show_bug.cgi?id=2251155