CVE CyberSecurity Database News

CVE-2023-5675 - Quarkus Authorization Bypass via Abstract Classes and Extensions – Exploit Explained

Poster -

Summary:
CVE-2023-5675 is a significant security vulnerability that affects Java applications using Quarkus, specifically those using the RestEasy Classic or Reactive JAX-RS endpoints. If your project uses inheritance with abstract classes or customizes endpoints through annotation processors (e.g., via Quarkus extensions), Quarkus may silently skip authorization checks for endpoint methods. This happens even if your configuration should strictly enforce access controls (quarkus.security.jaxrs.deny-unannotated-endpoints=true or quarkus.security.jaxrs.default-roles-allowed=*). In this article, I'll break down the bug, show how it can be exploited, and offer references for remediation.

Imagine you've set up strict security for your REST API. In your application.properties you have

# Deny access to all unannotated endpoints
quarkus.security.jaxrs.deny-unannotated-endpoints=true

# Only allow users with the 'admin' role for REST endpoints by default
quarkus.security.jaxrs.default-roles-allowed=admin

Now, you refactor your code so your JAX-RS resource extends an abstract class, maybe for code reuse. Or perhaps a Quarkus extension rewrites your resource with annotation processors.

But, due to CVE-2023-5675, Quarkus does not enforce authorization checks on those inherited or generated methods, letting unauthenticated users invoke them—even though your policy says not to!

2. Vulnerable Example – Code Demonstration

Suppose you want all endpoints to require authentication unless explicitly annotated. You refactor your code as follows:

Abstract Resource

public abstract class BaseUserApi {
    @GET
    @Path("/userinfo")
    public String getUserInfo() {
        return "Sensitive User Info";
    }
}

REST Endpoint Implementation

@Path("/users")
public class UserResource extends BaseUserApi {
    // Inherits getUserInfo()
}

Security Config

quarkus.security.jaxrs.deny-unannotated-endpoints=true
quarkus.security.jaxrs.default-roles-allowed=admin

What You Expect: Only users with the admin role can call /users/userinfo.

The Reality:
Because getUserInfo() is in an abstract class, its security is not enforced as expected. Any user – even unauthenticated – can call /users/userinfo and get a response.

3. Exploitation Example

- The endpoint /users/userinfo is deployed as above.

- Anyone can curl the endpoint, without any JWT/OAuth token or credentials

curl http://my.quarkus.app/users/userinfo

Expected: 401 Unauthorized or 403 Forbidden
Actual (Vulnerable):

Sensitive User Info

This vulnerability is triggered in two common scenarios

- Inherited Methods: Your REST endpoint class inherits JAX-RS methods (e.g., @GET methods) from an abstract base class.
- Quarkus Extensions: An annotation processor (used by Quarkus or third-party extensions) generates resource methods for your endpoint class.

Quarkus's internal logic misses these methods during security annotation processing, so roles allowed and deny-by-default logic are not applied.

5. More Technical Details

- This affects both RestEasy Classic and RestEasy Reactive endpoints.

quarkus.security.jaxrs.default-roles-allowed

- CVE Page: NVD - CVE-2023-5675
- Vendor Advisory: Red Hat Security Advisory
- Fixed in: Quarkus 2.16.11.Final, 3.2.4.Final, 3.5. or newer

6. How To Fix (Mitigation)

- Upgrade to Quarkus 2.16.11.Final, 3.2.4.Final, 3.5. or newer.
- Avoid defining endpoint methods exclusively in abstract classes, unless you are sure your Quarkus version is patched.
- Consider explicitly annotating every endpoint method with @RolesAllowed as an extra safeguard, or avoid relying only on configuration-driven policy, especially if using code generation via annotation processors.

Example (Patch Workaround)

@Path("/users")
public class UserResource extends BaseUserApi {

    @Override
    @GET
    @Path("/userinfo")
    @RolesAllowed("admin") // Explicit annotation, as a safeguard!
    public String getUserInfo() {
        return super.getUserInfo();
    }
}

7. Official References

- Quarkus Security Guide
- Red Hat Security Advisory
- Quarkus Github - Issue and Fix
- NVD Entry for CVE-2023-5675

8. Conclusion

CVE-2023-5675 is a silent, dangerous security loophole – perfect for privilege escalation or data exposure if your REST endpoints rely on abstract base classes or annotation-processor generator code. Upgrade immediately and audit your endpoints for inherited methods!

Timeline

Published on: 04/25/2024 16:15:08 UTC
Last modified on: 04/25/2024 17:25:05 UTC