Vulnerability	Vulnerable Version
H Incorrect Authorization Affected versions of this package are vulnerable to Incorrect Authorization when handling HTTP request paths that have had `normalizedPath()` applied. An attacker can gain unauthorized access to protected resources by appending a semicolon and arbitrary text to the request URL, exploiting inconsistencies between the security layer and routing layer in path normalization. Endpoints are matched for authorization purposes with their trailing matrix parameters, so `/api/admin;anything` successfully matches `/api/admin`, but routing rules are applied to the endpoint without matrix parameters, bypassing policies. How to fix Incorrect Authorization? Upgrade `io.quarkus:quarkus-oidc` to version 3.20.6.1, 3.27.3.1, 3.33.1.1, 3.34.7, 3.35.1 or higher.	[,3.20.6.1)[3.21.0,3.27.3.1)[3.28.0,3.33.1.1)[3.34.0.CR1,3.34.7)[3.35.0.CR1,3.35.1)

Incorrect Authorization

Affected versions of this package are vulnerable to Incorrect Authorization when handling HTTP request paths that have had normalizedPath() applied. An attacker can gain unauthorized access to protected resources by appending a semicolon and arbitrary text to the request URL, exploiting inconsistencies between the security layer and routing layer in path normalization. Endpoints are matched for authorization purposes with their trailing matrix parameters, so /api/admin;anything successfully matches /api/admin, but routing rules are applied to the endpoint without matrix parameters, bypassing policies.

How to fix Incorrect Authorization?

Upgrade io.quarkus:quarkus-oidc to version 3.20.6.1, 3.27.3.1, 3.33.1.1, 3.34.7, 3.35.1 or higher.

[,3.20.6.1)[3.21.0,3.27.3.1)[3.28.0,3.33.1.1)[3.34.0.CR1,3.34.7)[3.35.0.CR1,3.35.1)

Go back to all versions of this package