Deserialization Before Auth in SpringSec CVE-2023-6267
CVE-2023-6267 Published on January 25, 2024

A flaw was found in the json payload. If annotation based security is used to secure a REST resource, the JSON body that the resource may consume is being processed (deserialized) prior to the security constraints being evaluated and applied. This does not happen with configuration based security.

Vendor Advisory Vendor Advisory NVD

Vulnerability Analysis

CVE-2023-6267 can be exploited with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a small impact on confidentiality and integrity, and a high impact on availability.

Attack Vector:
NETWORK
Attack Complexity:
LOW
Privileges Required:
NONE
User Interaction:
NONE
Scope:
UNCHANGED
Confidentiality Impact:
LOW
Integrity Impact:
LOW
Availability Impact:
HIGH

Weakness Type

Improper Handling of Exceptional Conditions

The software does not handle or incorrectly handles an exceptional condition.


Products Associated with CVE-2023-6267

You can be notified by email with stack.watch whenever vulnerabilities like CVE-2023-6267 are published in these products:

Quarkus
 
Red Hat Quarkus
 
Red Hat Optaplanner
 
Red Hat Jboss Fuse
 
Red Hat Integration
 
Red Hat Camel Quarkus
 
VMware Spring Security
 

Affected Versions

Red Hat build of Quarkus 2.13.9.Final: Red Hat build of Quarkus 3.2.9.Final: Red Hat build of OptaPlanner 8: Red Hat Fuse 7: Red Hat Integration Camel K 1: Red Hat Integration Camel Quarkus 2:

Exploit Probability

EPSS
0.67%
Percentile
70.72%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.