CVE-2024-12225 (GCVE-0-2024-12225)

Vulnerability from cvelistv5 – Published: 2025-05-06 19:49 – Updated: 2025-11-20 07:12
VLAI?
Title
Io.quarkus:quarkus-security-webauthn: quarkus webauthn unexpected authentication bypass
Summary
A vulnerability was found in Quarkus in the quarkus-security-webauthn module. The Quarkus WebAuthn module publishes default REST endpoints for registering and logging users in while allowing developers to provide custom REST endpoints. When developers provide custom REST endpoints, the default endpoints remain accessible, potentially allowing attackers to obtain a login cookie that has no corresponding user in the Quarkus application or, depending on how the application is written, could correspond to an existing user that has no relation with the current attacker, allowing anyone to log in as an existing user by just knowing that user's user name.
Severity ?
9.1 (Critical)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
CWE
  • CWE-288 - Authentication Bypass Using an Alternate Path or Channel
Assigner
References
Impacted products
Vendor Product Version
Affected: 0 , < 3.15.3.1 (semver)
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-12225",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-05-08T18:33:57.733749Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-05-08T18:34:11.164Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://github.com/quarkusio/quarkus",
          "defaultStatus": "unaffected",
          "packageName": "quarkus",
          "versions": [
            {
              "lessThan": "3.15.3.1",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:quarkus:3"
          ],
          "defaultStatus": "unaffected",
          "packageName": "io.quarkus:quarkus-security-webauthn",
          "product": "Red Hat build of Quarkus",
          "vendor": "Red Hat"
        }
      ],
      "datePublic": "2025-02-28T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "A vulnerability was found in Quarkus in the quarkus-security-webauthn module. The Quarkus WebAuthn module publishes default REST endpoints for registering and logging users in while allowing developers to provide custom REST endpoints. When developers provide custom REST endpoints, the default endpoints remain accessible, potentially allowing attackers to obtain a login cookie that has no corresponding user in the Quarkus application or, depending on how the application is written, could correspond to an existing user that has no relation with the current attacker, allowing anyone to log in as an existing user by just knowing that user\u0027s user name."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "namespace": "https://access.redhat.com/security/updates/classification/",
              "value": "Important"
            },
            "type": "Red Hat severity rating"
          }
        },
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 9.1,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
            "version": "3.1"
          },
          "format": "CVSS"
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-288",
              "description": "Authentication Bypass Using an Alternate Path or Channel",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-11-20T07:12:24.461Z",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "tags": [
            "vdb-entry",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/security/cve/CVE-2024-12225"
        },
        {
          "name": "RHBZ#2330484",
          "tags": [
            "issue-tracking",
            "x_refsource_REDHAT"
          ],
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2330484"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2024-12-05T00:18:42.885000+00:00",
          "value": "Reported to Red Hat."
        },
        {
          "lang": "en",
          "time": "2025-02-28T00:00:00+00:00",
          "value": "Made public."
        }
      ],
      "title": "Io.quarkus:quarkus-security-webauthn: quarkus webauthn unexpected authentication bypass",
      "workarounds": [
        {
          "lang": "en",
          "value": "It is possible to mitigate this issue by disabling the default endpoints after creating a custom one. For example with the call for:\n\n\nimport io.vertx.ext.web.Router;\n\nimport jakarta.enterprise.event.Observes;\n\npublic class Startup {\n    public void init(@Observes Router router) {\n      System.err.println(\"Securing WebAuthn default controller\");\n      router.post(\"/q/webauthn/callback\").order(0).handler(rc -\u003e rc.fail(404));\n    }\n}"
        }
      ],
      "x_redhatCweChain": "CWE-288: Authentication Bypass Using an Alternate Path or Channel"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2024-12225",
    "datePublished": "2025-05-06T19:49:16.502Z",
    "dateReserved": "2024-12-05T03:01:11.272Z",
    "dateUpdated": "2025-11-20T07:12:24.461Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-12225\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-05-08T18:33:57.733749Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-05-08T18:34:06.496Z\"}}], \"cna\": {\"title\": \"Io.quarkus:quarkus-security-webauthn: quarkus webauthn unexpected authentication bypass\", \"metrics\": [{\"other\": {\"type\": \"Red Hat severity rating\", \"content\": {\"value\": \"Important\", \"namespace\": \"https://access.redhat.com/security/updates/classification/\"}}}, {\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 9.1, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"CRITICAL\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"3.15.3.1\", \"versionType\": \"semver\"}], \"packageName\": \"quarkus\", \"collectionURL\": \"https://github.com/quarkusio/quarkus\", \"defaultStatus\": \"unaffected\"}, {\"cpes\": [\"cpe:/a:redhat:quarkus:3\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat build of Quarkus\", \"packageName\": \"io.quarkus:quarkus-security-webauthn\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"unaffected\"}], \"timeline\": [{\"lang\": \"en\", \"time\": \"2024-12-05T00:18:42.885000+00:00\", \"value\": \"Reported to Red Hat.\"}, {\"lang\": \"en\", \"time\": \"2025-02-28T00:00:00+00:00\", \"value\": \"Made public.\"}], \"datePublic\": \"2025-02-28T00:00:00.000Z\", \"references\": [{\"url\": \"https://access.redhat.com/security/cve/CVE-2024-12225\", \"tags\": [\"vdb-entry\", \"x_refsource_REDHAT\"]}, {\"url\": \"https://bugzilla.redhat.com/show_bug.cgi?id=2330484\", \"name\": \"RHBZ#2330484\", \"tags\": [\"issue-tracking\", \"x_refsource_REDHAT\"]}], \"workarounds\": [{\"lang\": \"en\", \"value\": \"It is possible to mitigate this issue by disabling the default endpoints after creating a custom one. For example with the call for:\\n\\n\\nimport io.vertx.ext.web.Router;\\n\\nimport jakarta.enterprise.event.Observes;\\n\\npublic class Startup {\\n    public void init(@Observes Router router) {\\n      System.err.println(\\\"Securing WebAuthn default controller\\\");\\n      router.post(\\\"/q/webauthn/callback\\\").order(0).handler(rc -\u003e rc.fail(404));\\n    }\\n}\"}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"A vulnerability was found in Quarkus in the quarkus-security-webauthn module. The Quarkus WebAuthn module publishes default REST endpoints for registering and logging users in while allowing developers to provide custom REST endpoints. When developers provide custom REST endpoints, the default endpoints remain accessible, potentially allowing attackers to obtain a login cookie that has no corresponding user in the Quarkus application or, depending on how the application is written, could correspond to an existing user that has no relation with the current attacker, allowing anyone to log in as an existing user by just knowing that user\u0027s user name.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-288\", \"description\": \"Authentication Bypass Using an Alternate Path or Channel\"}]}], \"providerMetadata\": {\"orgId\": \"53f830b8-0a3f-465b-8143-3b8a9948e749\", \"shortName\": \"redhat\", \"dateUpdated\": \"2025-11-20T07:12:24.461Z\"}, \"x_redhatCweChain\": \"CWE-288: Authentication Bypass Using an Alternate Path or Channel\"}}",
      "cveMetadata": "{\"cveId\": \"CVE-2024-12225\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-11-20T07:12:24.461Z\", \"dateReserved\": \"2024-12-05T03:01:11.272Z\", \"assignerOrgId\": \"53f830b8-0a3f-465b-8143-3b8a9948e749\", \"datePublished\": \"2025-05-06T19:49:16.502Z\", \"assignerShortName\": \"redhat\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.