VDB
CVE-2024-1726
CVE-2024-1726
PUBLISHED
CVSS 5.300000190734863 MEDIUM
A flaw was discovered in the RESTEasy Reactive implementation in Quarkus. Due to security checks for some JAX-RS endpoints being performed after serialization, more processing resources are consumed while the HTTP request is checked. In certain configurations, if an attacker has knowledge of any POST, PUT, or PATCH request paths, they can potentially identify vulnerable endpoints and trigger excessive resource usage as the endpoints process the requests. This can result in a denial of service.
EPSS 0.03% · 8.8th percentile
Risk Scores
CVSS 3.1
5.300000190734863
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
EPSS Score
0.03%
8.8th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| 3.8.0, 3.8.0.CR1, 3.8.0.CR1 | ||
| Red Hat | Red Hat build of Quarkus 3.2.11.Final | 3.2.11.Final-redhat-00001, 3.2.11.Final-redhat-00001, 3.2.11.Final-redhat-00001 |
| Red Hat | Red Hat build of Quarkus | |
| Maven | io.quarkus.resteasy.reactive:resteasy-reactive | 3.8.0.CR1, *, * |
Exploit Intelligence
- CIRCL seen: CVE-2024-1726 (circl-sighting)
- CIRCL seen: CVE-2024-1726 (circl-sighting)
- RHSA-2024:1662 (circl)
- https://access.redhat.com/security/cve/CVE-2024-1726 (circl)
- RHBZ#2265158 (circl)
Timeline
- Feb 22, 2024 PoC Published
- Apr 25, 2024 CVE Published
- Apr 26, 2024 EPSS Score
- May 20, 2024 EPSS Score
- Jun 15, 2024 EPSS Score
- Jul 9, 2024 EPSS Score
- Aug 7, 2024 EPSS Score
- Aug 31, 2024 EPSS Score
- Sep 24, 2024 EPSS Score
- Oct 4, 2024 Coalition ESS Score
- Oct 19, 2024 EPSS Score
- Nov 12, 2024 EPSS Score
References
- RHSA-2024:1662 vendor-advisory
- https://access.redhat.com/security/cve/CVE-2024-1726 vdb
- RHBZ#2265158 issue
- https://nvd.nist.gov/vuln/detail/CVE-2024-1726 advisory
- https://github.com/quarkusio/quarkus/commit/34c1a63baf5401d0d578a23a1a4deb4b841ce65b url
- https://github.com/quarkusio/quarkus/commit/96d93427f3b4a7d3cff34d8b7b883e13cecd359c url
- https://github.com/quarkusio/quarkus package