CVE-2023-6267

Quarkus: json payload getting processed prior to security checks when rest resources are used with annotations.

Severity Score

9.8

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

A flaw was found in the json payload. If annotation based security is used to secure a REST resource, the JSON body that the resource may consume is being processed (deserialized) prior to the security constraints being evaluated and applied. This does not happen with configuration based security.

Se encontró un fallo en el payload json. Si se utiliza seguridad basada en anotaciones para proteger un recurso REST, el cuerpo JSON que el recurso puede consumir se procesa (deserializa) antes de que se evalúen y apliquen las restricciones de seguridad. Esto no sucede con la seguridad basada en configuración.

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

High

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2023-11-23 CVE Reserved
2024-01-25 CVE Published
2024-02-18 EPSS Updated
2024-11-24 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-280: Improper Handling of Insufficient Permissions or Privileges
CWE-502: Deserialization of Untrusted Data
CWE-755: Improper Handling of Exceptional Conditions

CAPEC

References (4)

URL	Tag	Source

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
https://access.redhat.com/errata/RHSA-2024:0494	2024-02-17
https://access.redhat.com/errata/RHSA-2024:0495	2024-02-17
https://access.redhat.com/security/cve/CVE-2023-6267	2024-01-25
https://bugzilla.redhat.com/show_bug.cgi?id=2251155	2024-01-25

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Quarkus Search vendor "Quarkus"		Quarkus Search vendor "Quarkus" for product "Quarkus"				< 2.13.9 Search vendor "Quarkus" for product "Quarkus" and version " < 2.13.9"		-		Affected
Quarkus Search vendor "Quarkus"		Quarkus Search vendor "Quarkus" for product "Quarkus"				>= 3.0.0 < 3.2.9 Search vendor "Quarkus" for product "Quarkus" and version " >= 3.0.0 < 3.2.9"		-		Affected
Quarkus Search vendor "Quarkus"		Quarkus Search vendor "Quarkus" for product "Quarkus"				2.13.9 Search vendor "Quarkus" for product "Quarkus" and version "2.13.9"		-		Affected
Quarkus Search vendor "Quarkus"		Quarkus Search vendor "Quarkus" for product "Quarkus"				3.2.9 Search vendor "Quarkus" for product "Quarkus" and version "3.2.9"		-		Affected