CVE-2023-5675

Name of the Vulnerable Software and Affected Versions Quarkus versions prior to 3.6.9 Quarkus versions prior to 3.7.1 Quarkus versions prior to 3.8.x

Description A flaw was found in Quarkus. When a Quarkus RestEasy Classic or Reactive JAX-RS endpoint has its methods declared in the abstract Java class or customized by Quarkus extensions using the annotation processor, the authorization of these methods will not be enforced if it is enabled by either quarkus.security.jaxrs.deny-unannotated-endpoints or quarkus.security.jaxrs.default-roles-allowed properties.

Recommendations For Quarkus versions prior to 3.6.9, update to version 3.6.9 or later. For Quarkus versions prior to 3.7.1, update to version 3.7.1 or later. For Quarkus versions prior to 3.8.x, update to the 3.8.x LTS branch. As a temporary workaround, consider disabling the quarkus.security.jaxrs.deny-unannotated-endpoints and quarkus.security.jaxrs.default-roles-allowed properties until a patch is available. Restrict access to Quarkus RestEasy Classic or Reactive JAX-RS endpoints to minimize the risk of exploitation.