CVE-2023-6267 Quarkus: json payload getting processed prior to security checks when rest resources are used with annotations.

🗓️ 25 Jan 2024 18:12:44Reported by redhatType

Flaw in Quarkus rest resources processing JSON payload prior to security checks

Reporter	Title	Published	Views	Family All 18
IBM Security Bulletins	Security Bulletin: security vulnerabilities are addressed with IBM Business Automation Insights iFix for February 2023.	7 Mar 202409:24	–	ibm
Circl	CVE-2023-6267	25 Jan 202419:31	–	circl
CNNVD	Quarkus Security Vulnerabilities	25 Jan 202400:00	–	cnnvd
CVE	CVE-2023-6267	25 Jan 202418:12	–	cve
EUVD	EUVD-2024-0298	3 Oct 202520:07	–	euvd
Github Security Blog	Quarkus Improper Handling of Insufficient Permissions or Privileges and Improper Handling of Exceptional Conditions vulnerability	25 Jan 202421:32	–	github
NVD	CVE-2023-6267	25 Jan 202419:15	–	nvd
OSV	CVE-2023-6267	25 Jan 202419:15	–	osv
OSV	GHSA-8J3X-W35R-RW4R Quarkus Improper Handling of Insufficient Permissions or Privileges and Improper Handling of Exceptional Conditions vulnerability	25 Jan 202421:32	–	osv
Prion	Design/Logic Flaw	25 Jan 202419:15	–	prion

[
  {
    "vendor": "Red Hat",
    "product": "Red Hat build of Quarkus 2.13.9.Final",
    "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
    "packageName": "io.quarkus/quarkus-resteasy",
    "defaultStatus": "affected",
    "versions": [
      {
        "version": "2.13.9.Final-redhat-00003",
        "lessThan": "*",
        "versionType": "rpm",
        "status": "unaffected"
      }
    ],
    "cpes": [
      "cpe:/a:redhat:quarkus:2.13"
    ]
  },
  {
    "vendor": "Red Hat",
    "product": "Red Hat build of Quarkus 3.2.9.Final",
    "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
    "packageName": "io.quarkus/quarkus-resteasy",
    "defaultStatus": "affected",
    "versions": [
      {
        "version": "3.2.9.Final-redhat-00003",
        "lessThan": "*",
        "versionType": "rpm",
        "status": "unaffected"
      }
    ],
    "cpes": [
      "cpe:/a:redhat:quarkus:3.2"
    ]
  },
  {
    "vendor": "Red Hat",
    "product": "Red Hat build of OptaPlanner 8",
    "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
    "packageName": "quarkus-resteasy-reactive",
    "defaultStatus": "affected",
    "cpes": [
      "cpe:/a:redhat:optaplanner:::el6"
    ]
  },
  {
    "vendor": "Red Hat",
    "product": "Red Hat Fuse 7",
    "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
    "packageName": "resteasy",
    "defaultStatus": "unaffected",
    "cpes": [
      "cpe:/a:redhat:jboss_fuse:7"
    ]
  },
  {
    "vendor": "Red Hat",
    "product": "Red Hat Integration Camel K 1",
    "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
    "packageName": "resteasy-core",
    "defaultStatus": "affected",
    "cpes": [
      "cpe:/a:redhat:integration:1"
    ]
  },
  {
    "vendor": "Red Hat",
    "product": "Red Hat Integration Camel Quarkus 2",
    "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
    "packageName": "quarkus-resteasy-reactive",
    "defaultStatus": "unaffected",
    "cpes": [
      "cpe:/a:redhat:camel_quarkus:2"
    ]
  }
]

Source	Link
access	www.access.redhat.com/security/cve/CVE-2023-6267
access	www.access.redhat.com/errata/RHSA-2024:0494
bugzilla	www.bugzilla.redhat.com/show_bug.cgi
access	www.access.redhat.com/errata/RHSA-2024:0495

20 Nov 2025 07:08Current

9.5High risk

Vulners AI Score9.5

CVSS 3.18.6

EPSS0.00719

CWE-755