CVE-2023-6394
7.4
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
Summary
A flaw was found in Quarkus. This issue occurs when receiving a request over websocket with no role-based permission specified on the GraphQL operation, Quarkus processes the request without authentication despite the endpoint being secured. This can allow an attacker to access information and functionality outside of normal granted API permissions.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Red Hat | Red Hat build of Quarkus 2.13.9.Final | 2.13.9.Final-redhat-00002 < * | unaffected |
| Red Hat | Red Hat build of Quarkus 3.2.9.Final | 3.2.9.Final-redhat-00002 < * | unaffected |
Weaknesses
- CWE-862: Missing Authorization
ADP Enrichment
CVE Program Container
Additional References
- https://access.redhat.com/errata/RHSA-2023:7612
- https://access.redhat.com/security/cve/CVE-2023-6394
- https://bugzilla.redhat.com/show_bug.cgi?id=2252197
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: total
References
- https://access.redhat.com/errata/RHSA-2023:7612
- https://access.redhat.com/errata/RHSA-2023:7700
- https://access.redhat.com/security/cve/CVE-2023-6394
- https://bugzilla.redhat.com/show_bug.cgi?id=2252197
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.