Michal Vavřík

Name of the Vulnerable Software and Affected Versions: Quarkus (affected versions not specified) Description: The issue is related to a flaw in the RESTEasy Reactive implementation, where security checks for some JAX-RS endpoints are performed after serialization, leading to increased resource consumption. An attacker with knowledge of specific request paths can potentially identify vulnerable endpoints and trigger excessive resource usage, resulting in a denial of service. The estimated number of potentially affected devices and details about real-world incidents are not provided. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Quarkus versions prior to 3.6.9 Quarkus versions prior to 3.7.1 Quarkus versions prior to 3.8.x **Description** A flaw was found in Quarkus. When a Quarkus RestEasy Classic or Reactive JAX-RS endpoint has its methods declared in the abstract Java class or customized by Quarkus extensions using the annotation processor, the authorization of these methods will not be enforced if it is enabled by either `quarkus.security.jaxrs.deny-unannotated-endpoints` or `quarkus.security.jaxrs.default-roles-allowed` properties. **Recommendations** For Quarkus versions prior to 3.6.9, update to version 3.6.9 or later. For Quarkus versions prior to 3.7.1, update to version 3.7.1 or later. For Quarkus versions prior to 3.8.x, update to the 3.8.x LTS branch. As a temporary workaround, consider disabling the `quarkus.security.jaxrs.deny-unannotated-endpoints` and `quarkus.security.jaxrs.default-roles-allowed` properties until a patch is available. Restrict access to Quarkus RestEasy Classic or Reactive JAX-RS endpoints to minimize the risk of exploitation.