Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2023-6394

A flaw was found in Quarkus. This issue occurs when receiving a request over websocket with no role-based permission specified on the GraphQL operation, Quarkus processes the request without authentication despite the endpoint being secured. This can allow an attacker to access information and functionality outside of normal granted API permissions.

Published

2023-12-09T02:15:06.747

Last Modified

2024-11-21T08:43:46.407

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 7.4 (HIGH)

Weaknesses

Type: Secondary
CWE-862
Type: Primary
CWE-862

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	quarkus	quarkus	< 3.6.0	Yes
Application	redhat	build_of_quarkus	-	Yes

References

https://access.redhat.com/errata/RHSA-2023:7612 ([email protected])
https://access.redhat.com/errata/RHSA-2023:7700 ([email protected])
https://access.redhat.com/security/cve/CVE-2023-6394 Vendor Advisory ([email protected])
https://bugzilla.redhat.com/show_bug.cgi?id=2252197 Issue Tracking ([email protected])
https://access.redhat.com/errata/RHSA-2023:7612 (af854a3a-2127-422b-91ae-364da2661108)
https://access.redhat.com/security/cve/CVE-2023-6394 Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://bugzilla.redhat.com/show_bug.cgi?id=2252197 Issue Tracking (af854a3a-2127-422b-91ae-364da2661108)