CVE-2023-6394

Source
https://cve.org/CVERecord?id=CVE-2023-6394
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-6394.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2023-6394
Aliases
Published
2023-12-09T01:26:52.908Z
Modified
2026-07-15T01:49:19.649126519Z
Severity
  • 7.4 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N CVSS Calculator
Summary
Quarkus: graphql operations over websockets bypass
Details

A flaw was found in Quarkus. This issue occurs when receiving a request over websocket with no role-based permission specified on the GraphQL operation, Quarkus processes the request without authentication despite the endpoint being secured. This can allow an attacker to access information and functionality outside of normal granted API permissions.

Database specific
{
    "cwe_ids": [
        "CWE-862"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/6xxx/CVE-2023-6394.json",
    "cna_assigner": "redhat"
}
References

Affected packages

Git / github.com/quarkusio/quarkus

Affected ranges

Type
GIT
Repo
https://github.com/quarkusio/quarkus
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "cpe": "cpe:2.3:a:quarkus:quarkus:*:*:*:*:*:*:*:*",
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "3.6.0"
        }
    ],
    "source": "CPE_RANGE"
}

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-6394.json"