Critical Vulnerability Information Vulnerability Identifier CVE ID: CVE-2024-12225 Impact Severity CVSS v3 Base Score: 9.1 Impact Level: Important Impact Description Vulnerability Description: A vulnerability has been identified in the module of Quarkus. This module provides default REST endpoints for user registration and login, while also allowing developers to supply custom REST endpoints. When developers implement custom endpoints, the default endpoints remain accessible, potentially enabling attackers to bypass authentication for Quarkus applications using default cookies. Alternatively, depending on how the application is written, an attacker may be able to authenticate as an existing user unrelated to them—simply by knowing the username—allowing anyone to log in as an existing user. Affected Software Packages Red Hat-built Quarkus: Not affected by this vulnerability Mitigation Mitigation Steps: This issue can be mitigated by disabling the default endpoints after creating custom endpoints. For example, the following code can be used: Weakness (CWE) CWE ID: CWE-288 Technical Impact: Bypassing Protection Mechanism Additional Information Related Bugzilla: Bugzilla 2330484: io.quarkus:quarkus-security-webauthn: Quarkus WebAuthn Unexpected Authentication Bypass Related CWE: CWE-286: Authentication Bypass Using Alternate Path or Channel