CVE-2023-6267

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2023-6267
A flaw was found in the json payload. If annotation based security is used to secure a REST resource, the JSON body that the resource may consume is being processed (deserialized) prior to the security constraints being evaluated and applied. This does not happen with configuration based security.

9.8 /10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://access.redhat.com/errata/RHSA-2024:0494
https://access.redhat.com/errata/RHSA-2024:0495
https://access.redhat.com/security/cve/CVE-2023-6267 Vendor Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=2251155 Issue Tracking Vendor Advisory
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:quarkus:quarkus:*:*:*:*:*:*:*:*
cpe:2.3:a:quarkus:quarkus:*:*:*:*:*:*:*:*
cpe:2.3:a:quarkus:quarkus:2.13.9:-:*:*:*:*:*:*
cpe:2.3:a:quarkus:quarkus:3.2.9:-:*:*:*:*:*:*
History

17 Feb 2024, 10:15

Type Values Removed Values Added
References
  • () https://access.redhat.com/errata/RHSA-2024:0494 -
  • () https://access.redhat.com/errata/RHSA-2024:0495 -

31 Jan 2024, 17:17

Type Values Removed Values Added
References () https://access.redhat.com/security/cve/CVE-2023-6267 - () https://access.redhat.com/security/cve/CVE-2023-6267 - Vendor Advisory
References () https://bugzilla.redhat.com/show_bug.cgi?id=2251155 - () https://bugzilla.redhat.com/show_bug.cgi?id=2251155 - Issue Tracking, Vendor Advisory
CPE cpe:2.3:a:quarkus:quarkus:2.13.9:-:*:*:*:*:*:*
cpe:2.3:a:quarkus:quarkus:3.2.9:-:*:*:*:*:*:*
cpe:2.3:a:quarkus:quarkus:*:*:*:*:*:*:*:*
CVSS v2 : unknown
v3 : 8.6 		v2 : unknown
v3 : 9.8
Summary
  • (es) Se encontró un fallo en el payload json. Si se utiliza seguridad basada en anotaciones para proteger un recurso REST, el cuerpo JSON que el recurso puede consumir se procesa (deserializa) antes de que se evalúen y apliquen las restricciones de seguridad. Esto no sucede con la seguridad basada en configuración.
First Time Quarkus
Quarkus quarkus
CWE CWE-755

25 Jan 2024, 19:28

Type Values Removed Values Added
New CVE
Information

Published : 2024-01-25 19:15

Updated : 2024-02-17 10:15

NVD link : CVE-2023-6267

Mitre link : CVE-2023-6267

CVE.ORG link : CVE-2023-6267

JSON object : View

Products Affected

quarkus

  • quarkus
CWE
CWE-755

Improper Handling of Exceptional Conditions

CWE-280

Improper Handling of Insufficient Permissions or Privileges