Quarkus Path-Based Authorization Bypass Vulnerability

A vulnerability in Quarkus versions prior to 3.20.6.1, 3.27.3.1, 3.33.1.1, 3.35.1.1, 3.34.7, and 3.35.2 allows unauthenticated or lower-privileged users to bypass HTTP path-based authorization policies. This issue arises from a path normalization inconsistency between Quarkus's security layer and RESTEasy Reactive's routing layer. The security layer preserves matrix parameters in the URL path during authorization checks, while the routing layer strips them away before matching endpoints. As a result, an attacker can append a semicolon and arbitrary text to a request URL to bypass authorization policies protecting certain endpoints, potentially leading to unauthorized access to protected resources.

Impact

Exploitation of this vulnerability can result in unauthorized access to resources that are supposed to be protected by HTTP path-based authorization policies.