CVE-2023-6267: Quarkus: json payload getting processed prior to security checks when rest resources are used with annotations.
First published: Thu Nov 23 2023(Updated: )
A flaw was found in the json payload. If annotation based security is used to secure a REST resource, the JSON body that the resource may consume is being processed (deserialized) prior to the security constraints being evaluated and applied. This does not happen with configuration based security.
Credit: secalert@redhat.com secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| maven/io.quarkus.resteasy.reactive:resteasy-reactive | >=3.0.0.Final<3.2.9.Final | 3.2.9.Final |
| maven/io.quarkus.resteasy.reactive:resteasy-reactive | <2.13.9.Final | 2.13.9.Final |
| Red Hat Quarkus | <2.13.9 | |
| Red Hat Quarkus | >=3.0.0<3.2.9 | |
| Red Hat Quarkus | =2.13.9 | |
| Red Hat Quarkus | =3.2.9 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://nvd.nist.gov/vuln/detail/CVE-2023-6267
- https://access.redhat.com/security/cve/CVE-2023-6267
- https://bugzilla.redhat.com/show_bug.cgi?id=2251155
- https://access.redhat.com/errata/RHSA-2024:0494
- https://access.redhat.com/errata/RHSA-2024:0495
- https://github.com/advisories/GHSA-8j3x-w35r-rw4r (Advisory)
- https://access.redhat.com/documentation/en-us/red_hat_build_of_quarkus/quarkus-3.2/guide/1fb66449-7cb8-4328-8bb6-f11921699056
- https://maven.repository.redhat.com/ga/com/redhat/quarkus/platform/quarkus-bom/maven-metadata.xml
- https://exchange.xforce.ibmcloud.com/vulnerabilities/280942
- https://www.ibm.com/support/pages/node/7145492 (Advisory)
Frequently Asked Questions
What is the severity of CVE-2023-6267?
CVE-2023-6267 has been classified with a medium severity level due to the potential for security bypass in REST resources.
How do I fix CVE-2023-6267?
To fix CVE-2023-6267, upgrade to io.quarkus.resteasy.reactive version 3.2.9.Final or 2.13.9.Final or later.
What type of vulnerability is CVE-2023-6267?
CVE-2023-6267 is a deserialization vulnerability affecting the JSON payload processing in annotation based security.
Which versions of Quarkus are affected by CVE-2023-6267?
CVE-2023-6267 affects all versions of Red Hat Quarkus from 2.0.0 to 3.2.8 and includes specific versions like 2.13.9 and 3.2.9.
What is the impact of CVE-2023-6267?
The impact of CVE-2023-6267 includes potential unauthorized data access due to security constraints being evaluated after JSON deserialization.
- agent/title
- agent/type
- agent/first-publish-date
- agent/author
- collector/ibm-support
- source/IBM
- agent/references
- agent/severity
- agent/description
- agent/weakness
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-8j3x-w35r-rw4r
- alias/CVE-2023-6267
- agent/software-canonical-lookup
- agent/event
- collector/github-advisory
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- collector/redhat-bugzilla
- source/Red Hat
- agent/trending
- agent/source
- agent/softwarecombine
- agent/tags
- collector/nvd-cve
- source/NVD
- agent/software-canonical-lookup-request
- collector/nvd-api
- package-manager/maven
- vendor/quarkus
- canonical/red hat quarkus
- version/red hat quarkus/3.0.0
- version/red hat quarkus/2.13.9
- version/red hat quarkus/3.2.9