A flaw was found in Quarkus. This issue occurs when receiving a request over websocket with no role-based permission specified on the GraphQL operation, Quarkus processes the request without authentication despite the endpoint being secured. This can allow an attacker to access information and functionality outside of normal granted API permissions.
References
Link | Resource |
---|---|
https://access.redhat.com/errata/RHSA-2023:7612 | |
https://access.redhat.com/security/cve/CVE-2023-6394 | Vendor Advisory |
https://bugzilla.redhat.com/show_bug.cgi?id=2252197 | Issue Tracking |
Configurations
History
20 Dec 2023, 21:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
13 Dec 2023, 08:15
Type | Values Removed | Values Added |
---|---|---|
CWE |
12 Dec 2023, 22:35
Type | Values Removed | Values Added |
---|---|---|
CWE | CWE-862 | |
References | () https://access.redhat.com/security/cve/CVE-2023-6394 - Vendor Advisory | |
References | () https://bugzilla.redhat.com/show_bug.cgi?id=2252197 - Issue Tracking | |
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 9.1 |
Summary |
|
|
First Time |
Quarkus
Redhat build Of Quarkus Quarkus quarkus Redhat |
|
CPE | cpe:2.3:a:redhat:build_of_quarkus:-:*:*:*:*:*:*:* cpe:2.3:a:quarkus:quarkus:*:*:*:*:*:*:*:* |
09 Dec 2023, 02:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2023-12-09 02:15
Updated : 2023-12-20 21:15
NVD link : CVE-2023-6394
Mitre link : CVE-2023-6394
CVE.ORG link : CVE-2023-6394
JSON object : View
Products Affected
redhat
- build_of_quarkus
quarkus
- quarkus
CWE
CWE-862
Missing Authorization