GHSA-mvc8-6ffp-jrx5
Suggest an improvement- Source
- https://github.com/advisories/GHSA-mvc8-6ffp-jrx5
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/12/GHSA-mvc8-6ffp-jrx5/GHSA-mvc8-6ffp-jrx5.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-mvc8-6ffp-jrx5
- Aliases
- Published
- 2023-12-09T03:30:15Z
- Modified
- 2024-08-02T15:49:55.922341Z
- Severity
-
- 7.4 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N CVSS Calculator
- Summary
- Authorization bypass in Quarkus
- Details
-
A flaw was found in Quarkus. This issue occurs when receiving a request over websocket with no role-based permission specified on the GraphQL operation, Quarkus processes the request without authentication despite the endpoint being secured. This can allow an attacker to access information and functionality outside of normal granted API permissions.
- Database specific
{ "nvd_published_at": "2023-12-09T02:15:06Z", "cwe_ids": [ "CWE-696", "CWE-862" ], "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2023-12-12T00:50:32Z" }- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2023-6394
- https://github.com/quarkusio/quarkus/pull/36961
- https://access.redhat.com/errata/RHSA-2023:7612
- https://access.redhat.com/errata/RHSA-2023:7700
- https://access.redhat.com/security/cve/CVE-2023-6394
- https://bugzilla.redhat.com/show_bug.cgi?id=2252197
- https://github.com/quarkusio/quarkus
- https://github.com/quarkusio/quarkus/releases/tag/2.13.9.Final
- https://github.com/quarkusio/quarkus/releases/tag/3.5.3
Affected packages
Maven / io.quarkus:quarkus-smallrye-graphql-client
Package
- Name
- io.quarkus:quarkus-smallrye-graphql-client
- View open source insights on deps.dev
- Purl
- pkg:maven/io.quarkus/quarkus-smallrye-graphql-client
Affected versions
2.*
2.14.0.Final
2.14.1.Final
2.14.2.Final
2.14.3.Final
2.15.0.CR1
2.15.0.Final
2.15.1.Final
2.15.2.Final
2.15.3.Final
2.16.0.CR1
2.16.0.Final
2.16.1.Final
2.16.2.Final
2.16.3.Final
2.16.4.Final
2.16.5.Final
2.16.6.Final
2.16.7.Final
2.16.8.Final
2.16.9.Final
2.16.10.Final
2.16.11.Final
2.16.12.Final
3.*
3.0.0.Alpha1
3.0.0.Alpha2
3.0.0.Alpha3
3.0.0.Alpha4
3.0.0.Alpha5
3.0.0.Alpha6
3.0.0.Beta1
3.0.0.CR1
3.0.0.CR2
3.0.0.Final
3.0.1.Final
3.0.2.Final
3.0.3.Final
3.0.4.Final
3.1.0.CR1
3.1.0.Final
3.1.1.Final
3.1.2.Final
3.1.3.Final
3.2.0.CR1
3.2.0.Final
3.2.1.Final
3.2.2.Final
3.2.3.Final
3.2.4.Final
3.2.5.Final
3.2.6.Final
3.2.7.Final
3.2.8.Final
3.2.9.Final
3.2.10.Final
3.2.11.Final
3.2.12.Final
3.3.0.CR1
3.3.0
3.3.1
3.3.2
3.3.3
3.4.0.CR1
3.4.0
3.4.1
3.4.2
3.4.3
3.5.0.CR1
3.5.0
3.5.1
3.5.2
Maven / io.quarkus:quarkus-smallrye-graphql-client
Package
- Name
- io.quarkus:quarkus-smallrye-graphql-client
- View open source insights on deps.dev
- Purl
- pkg:maven/io.quarkus/quarkus-smallrye-graphql-client
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed2.13.9.Final
Affected versions
2.*
2.0.0.Alpha3
2.0.0.CR1
2.0.0.CR2
2.0.0.CR3
2.0.0.Final
2.0.1.Final
2.0.2.Final
2.0.3.Final
2.1.0.CR1
2.1.0.Final
2.1.1.Final
2.1.2.Final
2.1.3.Final
2.1.4.Final
2.2.0.CR1
2.2.0.Final
2.2.1.Final
2.2.2.Final
2.2.3.Final
2.2.4.Final
2.2.5.Final
2.3.0.CR1
2.3.0.Final
2.3.1.Final
2.4.0.CR1
2.4.0.Final
2.4.1.Final
2.4.2.Final
2.5.0.CR1
2.5.0.Final
2.5.1.Final
2.5.2.Final
2.5.3.Final
2.5.4.Final
2.6.0.CR1
2.6.0.Final
2.6.1.Final
2.6.2.Final
2.6.3.Final
2.7.0.CR1
2.7.0.Final
2.7.1.Final
2.7.2.Final
2.7.3.Final
2.7.4.Final
2.7.5.Final
2.7.6.Final
2.7.7.Final
2.8.0.CR1
2.8.0.Final
2.8.1.Final
2.8.2.Final
2.8.3.Final
2.9.0.CR1
2.9.0.Final
2.9.1.Final
2.9.2.Final
2.10.0.CR1
2.10.0.Final
2.10.1.Final
2.10.2.Final
2.10.3.Final
2.10.4.Final
2.11.0.CR1
2.11.0.Final
2.11.1.Final
2.11.2.Final
2.11.3.Final
2.12.0.CR1
2.12.0.Final
2.12.1.Final
2.12.2.Final
2.12.3.Final
2.13.0.CR1
2.13.0.Final
2.13.1.Final
2.13.2.Final
2.13.3.Final
2.13.4.Final
2.13.5.Final
2.13.6.Final
2.13.7.Final
2.13.8.Final