CVE-2023-6267 Quarkus: json payload getting processed prior to security checks when rest resources are used with annotations.

2024-01-2518:12:44

CWE-280

redhat

www.cve.org

cve-2023-6267

quarkus

json payload

security checks

rest resources

annotations

deserialized

configuration based security

8.6 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H

9.5 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

29.8%

JSON

A flaw was found in the json payload. If annotation based security is used to secure a REST resource, the JSON body that the resource may consume is being processed (deserialized) prior to the security constraints being evaluated and applied. This does not happen with configuration based security.

CNA Affected

[
  {
    "vendor": "Red Hat",
    "product": "Red Hat build of Quarkus 2.13.9.Final",
    "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
    "packageName": "io.quarkus/quarkus-resteasy",
    "defaultStatus": "affected",
    "versions": [
      {
        "version": "2.13.9.Final-redhat-00003",
        "lessThan": "*",
        "versionType": "rpm",
        "status": "unaffected"
      }
    ],
    "cpes": [
      "cpe:/a:redhat:quarkus:2.13"
    ]
  },
  {
    "vendor": "Red Hat",
    "product": "Red Hat build of Quarkus 3.2.9.Final",
    "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
    "packageName": "io.quarkus/quarkus-resteasy",
    "defaultStatus": "affected",
    "versions": [
      {
        "version": "3.2.9.Final-redhat-00003",
        "lessThan": "*",
        "versionType": "rpm",
        "status": "unaffected"
      }
    ],
    "cpes": [
      "cpe:/a:redhat:quarkus:3.2"
    ]
  },
  {
    "vendor": "Red Hat",
    "product": "Red Hat build of OptaPlanner 8",
    "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
    "packageName": "quarkus-resteasy-reactive",
    "defaultStatus": "affected",
    "cpes": [
      "cpe:/a:redhat:optaplanner:::el6"
    ]
  },
  {
    "vendor": "Red Hat",
    "product": "Red Hat Integration Camel K",
    "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
    "packageName": "resteasy-core",
    "defaultStatus": "affected",
    "cpes": [
      "cpe:/a:redhat:integration:1"
    ]
  },
  {
    "vendor": "Red Hat",
    "product": "Red Hat Integration Camel Quarkus",
    "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
    "packageName": "quarkus-resteasy-reactive",
    "defaultStatus": "unaffected",
    "cpes": [
      "cpe:/a:redhat:camel_quarkus:2"
    ]
  },
  {
    "vendor": "Red Hat",
    "product": "Red Hat JBoss Fuse 7",
    "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html",
    "packageName": "resteasy",
    "defaultStatus": "unaffected",
    "cpes": [
      "cpe:/a:redhat:jboss_fuse:7"
    ]
  }
]