CVE-2023-6267

2024-01-2519:15:08

CWE-755

CWE-280

[email protected]

web.nvd.nist.gov

140

cve-2023-6267

json

security

deserialization

rest

annotation-based security

configuration-based security

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

9.2 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

29.5%

JSON

A flaw was found in the json payload. If annotation based security is used to secure a REST resource, the JSON body that the resource may consume is being processed (deserialized) prior to the security constraints being evaluated and applied. This does not happen with configuration based security.

Affected configurations

NVD

Node

quarkusquarkusRange<2.13.9

quarkusquarkusRange3.0.0–3.2.9

quarkusquarkusMatch2.13.9-

quarkusquarkusMatch3.2.9-

CPENameOperatorVersion
quarkus:quarkusquarkuslt2.13.9
quarkus:quarkusquarkuslt3.2.9

CPE	Name	Operator	Version
quarkus:quarkus	quarkus	lt	2.13.9
quarkus:quarkus	quarkus	lt	3.2.9

CNA Affected

[
  {
    "vendor": "Red Hat",
    "product": "Red Hat build of Quarkus 2.13.9.Final",
    "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
    "packageName": "io.quarkus/quarkus-resteasy",
    "defaultStatus": "affected",
    "versions": [
      {
        "version": "2.13.9.Final-redhat-00003",
        "lessThan": "*",
        "versionType": "rpm",
        "status": "unaffected"
      }
    ],
    "cpes": [
      "cpe:/a:redhat:quarkus:2.13"
    ]
  },
  {
    "vendor": "Red Hat",
    "product": "Red Hat build of Quarkus 3.2.9.Final",
    "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
    "packageName": "io.quarkus/quarkus-resteasy",
    "defaultStatus": "affected",
    "versions": [
      {
        "version": "3.2.9.Final-redhat-00003",
        "lessThan": "*",
        "versionType": "rpm",
        "status": "unaffected"
      }
    ],
    "cpes": [
      "cpe:/a:redhat:quarkus:3.2"
    ]
  },
  {
    "vendor": "Red Hat",
    "product": "Red Hat build of OptaPlanner 8",
    "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
    "packageName": "quarkus-resteasy-reactive",
    "defaultStatus": "affected",
    "cpes": [
      "cpe:/a:redhat:optaplanner:::el6"
    ]
  },
  {
    "vendor": "Red Hat",
    "product": "Red Hat Integration Camel K",
    "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
    "packageName": "resteasy-core",
    "defaultStatus": "affected",
    "cpes": [
      "cpe:/a:redhat:integration:1"
    ]
  },
  {
    "vendor": "Red Hat",
    "product": "Red Hat Integration Camel Quarkus",
    "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
    "packageName": "quarkus-resteasy-reactive",
    "defaultStatus": "unaffected",
    "cpes": [
      "cpe:/a:redhat:camel_quarkus:2"
    ]
  },
  {
    "vendor": "Red Hat",
    "product": "Red Hat JBoss Fuse 7",
    "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html",
    "packageName": "resteasy",
    "defaultStatus": "unaffected",
    "cpes": [
      "cpe:/a:redhat:jboss_fuse:7"
    ]
  }
]