CVE-2023-6267: Quarkus: json payload getting processed prior to security checks when rest resources are used with annotations.

Description

A flaw was found in the json payload. If annotation based security is used to secure a REST resource, the JSON body that the resource may consume is being processed (deserialized) prior to the security constraints being evaluated and applied. This does not happen with configuration based security.

Classification

CVE ID: CVE-2023-6267

Affected Products

Vendor: Red Hat

Product: Red Hat build of Quarkus 2.13.9.Final

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.12% (probability of being exploited)

EPSS Percentile: 47.54% (scored less or equal to compared to others)

EPSS Date: 2025-02-03 (when was this score calculated)

References

https://access.redhat.com/errata/RHSA-2024:0494
https://access.redhat.com/errata/RHSA-2024:0495
https://access.redhat.com/security/cve/CVE-2023-6267
https://bugzilla.redhat.com/show_bug.cgi?id=2251155

Timeline

2024-12-05 00:32:14 UTC
CVE

Quarkus: json payload getting processed prior to security checks when rest resources are used with annotations.