CVE-2024-1726: Quarkus: security checks for some inherited endpoints performed after serialization in resteasy reactive may trigger a denial of service

Description

A flaw was discovered in the RESTEasy Reactive implementation in Quarkus. Due to security checks for some JAX-RS endpoints being performed after serialization, more processing resources are consumed while the HTTP request is checked. In certain configurations, if an attacker has knowledge of any POST, PUT, or PATCH request paths, they can potentially identify vulnerable endpoints and trigger excessive resource usage as the endpoints process the requests. This can result in a denial of service.

Classification

CVE ID: CVE-2024-1726

Problem Types

Improper Preservation of Permissions

Affected Products

Vendor: , Red Hat, Red Hat

Product: , Red Hat build of Quarkus 3.2.11.Final, Red Hat build of Quarkus

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.28% (probability of being exploited)

EPSS Percentile: 48.87% (scored less or equal to compared to others)

EPSS Date: 2025-04-13 (when was this score calculated)

Stakeholder-Specific Vulnerability Categorization (SSVC)

SSVC Exploitation: none

SSVC Technical Impact: partial

SSVC Automatable: true

References

https://nvd.nist.gov/vuln/detail/CVE-2024-1726
https://access.redhat.com/errata/RHSA-2024:1662
https://access.redhat.com/security/cve/CVE-2024-1726
https://bugzilla.redhat.com/show_bug.cgi?id=2265158

Timeline

2025-03-15 05:40:12 UTC
CVE

Quarkus: security checks for some inherited endpoints performed after serialization in resteasy reactive may trigger a denial of service