CVE-2023-5675: Quarkus: authorization flaw in quarkus resteasy reactive and classic
A flaw was found in Quarkus. When a Quarkus RestEasy Classic or Reactive JAX-RS endpoint has its methods declared in the abstract Java class or customized by Quarkus extensions using the annotation processor, the authorization of these methods will not be enforced if it is enabled by either ‘quarkus.security.jaxrs.deny-unannotated-endpoints’ or ‘quarkus.security.jaxrs.default-roles-allowed’ properties.
References
- access.redhat.com/errata/RHSA-2024:0494
- access.redhat.com/errata/RHSA-2024:0495
- access.redhat.com/security/cve/CVE-2023-5675
- bugzilla.redhat.com/show_bug.cgi?id=2245197
- github.com/advisories/GHSA-25w4-hfqg-4r52
- github.com/quarkusio/quarkus
- github.com/quarkusio/quarkus/commit/d802748128cd1932279b7c334f3792d481814ef5
- nvd.nist.gov/vuln/detail/CVE-2023-5675
Detect and mitigate CVE-2023-5675 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →