CVE-2023-6394

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2023-6394

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-6394.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2023-6394

Aliases

GHSA-mvc8-6ffp-jrx5

Published

2023-12-09T02:15:06Z

Modified

2024-08-02T13:15:55Z

Severity

9.1 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N CVSS Calculator

Summary

[none]

Details

A flaw was found in Quarkus. This issue occurs when receiving a request over websocket with no role-based permission specified on the GraphQL operation, Quarkus processes the request without authentication despite the endpoint being secured. This can allow an attacker to access information and functionality outside of normal granted API permissions.

References

Affected packages

Git / github.com/quarkusio/quarkus

Affected ranges

Type: GIT
Repo: https://github.com/quarkusio/quarkus
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

dc364b898175400962224393f9eb82d3e0ab2efb