- Vulnerability/
- CVE-2023-5675
CVE-2023-5675: Quarkus: authorization flaw in quarkus resteasy reactive and classic when "quarkus.security.jaxrs.deny-unannotated-endpoints" or "quarkus.security.jaxrs.default-roles-allowed" properties are used.
First published: Fri Oct 20 2023(Updated: )
A flaw was found in Quarkus. When a Quarkus RestEasy Classic or Reactive JAX-RS endpoint has its methods declared in the abstract Java class or customized by Quarkus extensions using the annotation processor, the authorization of these methods will not be enforced if it is enabled by either 'quarkus.security.jaxrs.deny-unannotated-endpoints' or 'quarkus.security.jaxrs.default-roles-allowed' properties.
Credit: secalert@redhat.com secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| maven/io.quarkus:quarkus-resteasy-reactive-common | >=3.7.0<3.7.1 | 3.7.1 |
| maven/io.quarkus:quarkus-resteasy-reactive-common-deployment | >=3.7.0<3.7.1 | 3.7.1 |
| maven/io.quarkus:quarkus-resteasy-reactive-common | >=3.3.0<3.6.9 | 3.6.9 |
| maven/io.quarkus:quarkus-resteasy-reactive-common-deployment | >=3.3.0<3.6.9 | 3.6.9 |
| maven/io.quarkus:quarkus-resteasy-reactive-common | <3.2.10.Final | 3.2.10.Final |
| maven/io.quarkus:quarkus-resteasy-reactive-common-deployment | <3.2.10.Final | 3.2.10.Final |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://exchange.xforce.ibmcloud.com/vulnerabilities/280941
- https://www.ibm.com/support/pages/node/7145492 (Advisory)
- https://nvd.nist.gov/vuln/detail/CVE-2023-5675
- https://access.redhat.com/errata/RHSA-2024:0494
- https://access.redhat.com/errata/RHSA-2024:0495
- https://access.redhat.com/security/cve/CVE-2023-5675
- https://bugzilla.redhat.com/show_bug.cgi?id=2245197
- https://github.com/quarkusio/quarkus/commit/d802748128cd1932279b7c334f3792d481814ef5
- https://github.com/advisories/GHSA-25w4-hfqg-4r52 (Advisory)
- https://github.com/quarkusio/quarkus/commit/b7dd69a3012a872f2846d73072ff232e07da74dd
- https://github.com/quarkusio/quarkus/commit/bf2ef6c504b989f74ceb5947d823b6ab208f8b6e
- https://github.com/quarkusio/quarkus/commit/c026b1cf6f2e07cc50b65c824d922319248d9341
Frequently Asked Questions
What is the severity of CVE-2023-5675?
CVE-2023-5675 is considered a critical security vulnerability in Quarkus.
How do I fix CVE-2023-5675?
To fix CVE-2023-5675, update Quarkus to version 3.7.1 for both quarkus-resteasy-reactive-common and quarkus-resteasy-reactive-common-deployment.
Which versions of Quarkus are affected by CVE-2023-5675?
CVE-2023-5675 affects Quarkus versions 3.3.0 to 3.7.0 for the packages io.quarkus:quarkus-resteasy-reactive-common and io.quarkus:quarkus-resteasy-reactive-common-deployment.
What are the consequences of CVE-2023-5675?
The consequences of CVE-2023-5675 include the potential failure to enforce authorization on specified JAX-RS methods, which may lead to unauthorized access.
Is there a workaround available for CVE-2023-5675?
There are no known workarounds for CVE-2023-5675; updating to the latest version is recommended.
- agent/first-publish-date
- collector/ibm-support
- source/IBM
- agent/type
- agent/title
- agent/severity
- agent/event
- agent/author
- agent/description
- agent/softwarecombine
- agent/weakness
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2023-5675
- collector/nvd-api
- source/NVD
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-25w4-hfqg-4r52
- agent/software-canonical-lookup
- collector/nvd-cve
- agent/references
- collector/github-advisory
- agent/trending
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- collector/epss-latest
- source/FIRST
- agent/source
- agent/tags
- agent/epss
- package-manager/maven