GHSA-8j3x-w35r-rw4r

Source

https://github.com/advisories/GHSA-8j3x-w35r-rw4r

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/01/GHSA-8j3x-w35r-rw4r/GHSA-8j3x-w35r-rw4r.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-8j3x-w35r-rw4r

Aliases

CVE-2023-6267

Published

2024-01-25T21:32:14Z

Modified

2024-11-25T15:09:06.884996Z

Severity

8.6 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H CVSS Calculator
8.8 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N CVSS Calculator

Summary

Quarkus Improper Handling of Insufficient Permissions or Privileges and Improper Handling of Exceptional Conditions vulnerability

Details

A flaw was found in the json payload. If annotation based security is used to secure a REST resource, the JSON body that the resource may consume is being processed (deserialized) prior to the security constraints being evaluated and applied. This does not happen with configuration based security.

Database specific

{
    "nvd_published_at": "2024-01-25T19:15:08Z",
    "cwe_ids": [
        "CWE-280",
        "CWE-502",
        "CWE-755"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2024-01-31T22:38:58Z"
}

References

Affected packages

Maven / io.quarkus.resteasy.reactive:resteasy-reactive

Package

Name: io.quarkus.resteasy.reactive:resteasy-reactive; View open source insights on deps.dev
Purl: pkg:maven/io.quarkus.resteasy.reactive/resteasy-reactive

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.13.9.Final

Affected versions

1.*

1.11.0.Beta1

1.11.0.Beta2

1.11.0.CR1

1.11.0.Final

1.11.1.Final

1.11.2.Final

1.11.3.Final

1.11.4.Final

1.11.5.Final

1.11.6.Final

1.11.7.Final

1.12.0.CR1

1.12.0.Final

1.12.1.Final

1.12.2.Final

1.13.0.CR1

1.13.0.Final

1.13.1.Final

1.13.2.Final

1.13.3.Final

1.13.4.Final

1.13.5.Final

1.13.6.Final

1.13.7.Final

2.*

2.0.0.Alpha1

2.0.0.Alpha2

2.0.0.Alpha3

2.0.0.CR1

2.0.0.CR2

2.0.0.CR3

2.0.0.Final

2.0.1.Final

2.0.2.Final

2.0.3.Final

2.1.0.CR1

2.1.0.Final

2.1.1.Final

2.1.2.Final

2.1.3.Final

2.1.4.Final

2.2.0.CR1

2.2.0.Final

2.2.1.Final

2.2.2.Final

2.2.3.Final

2.2.4.Final

2.2.5.Final

2.3.0.CR1

2.3.0.Final

2.3.1.Final

2.4.0.CR1

2.4.0.Final

2.4.1.Final

2.4.2.Final

2.5.0.CR1

2.5.0.Final

2.5.1.Final

2.5.2.Final

2.5.3.Final

2.5.4.Final

2.6.0.CR1

2.6.0.Final

2.6.1.Final

2.6.2.Final

2.6.3.Final

2.7.0.CR1

2.7.0.Final

2.7.1.Final

2.7.2.Final

2.7.3.Final

2.7.4.Final

2.7.5.Final

2.7.6.Final

2.7.7.Final

2.8.0.CR1

2.8.0.Final

2.8.1.Final

2.8.2.Final

2.8.3.Final

2.9.0.CR1

2.9.0.Final

2.9.1.Final

2.9.2.Final

2.10.0.CR1

2.10.0.Final

2.10.1.Final

2.10.2.Final

2.10.3.Final

2.10.4.Final

2.11.0.CR1

2.11.0.Final

2.11.1.Final

2.11.2.Final

2.11.3.Final

2.12.0.CR1

2.12.0.Final

2.12.1.Final

2.12.2.Final

2.12.3.Final

2.13.0.CR1

2.13.0.Final

2.13.1.Final

2.13.2.Final

2.13.3.Final

2.13.4.Final

2.13.5.Final

2.13.6.Final

2.13.7.Final

2.13.8.Final

Maven / io.quarkus.resteasy.reactive:resteasy-reactive

Package

Name: io.quarkus.resteasy.reactive:resteasy-reactive; View open source insights on deps.dev
Purl: pkg:maven/io.quarkus.resteasy.reactive/resteasy-reactive

Affected ranges

Type: ECOSYSTEM
Events: Introduced

3.0.0.Final

Fixed

3.2.9.Final

Affected versions

3.*

3.0.0.Final

3.0.1.Final

3.0.2.Final

3.0.3.Final

3.0.4.Final

3.1.0.CR1

3.1.0.Final

3.1.1.Final

3.1.2.Final

3.1.3.Final

3.2.0.CR1

3.2.0.Final

3.2.1.Final

3.2.2.Final

3.2.3.Final

3.2.4.Final

3.2.5.Final

3.2.6.Final

3.2.7.Final

3.2.8.Final