CVE-2023-6394
HIGHQuarkus < 3.6.0 - Missing Authorization via WebSocket GraphQL Request
Title source: llmDescription
A flaw was found in Quarkus. This issue occurs when receiving a request over websocket with no role-based permission specified on the GraphQL operation, Quarkus processes the request without authentication despite the endpoint being secured. This can allow an attacker to access information and functionality outside of normal granted API permissions.
References (4)
Core 4
Core References
Vendor Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHSA-2023:7612
Vendor Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHSA-2023:7700
Vendor Advisory vdb-entry
x_refsource_redhat
https://access.redhat.com/security/cve/CVE-2023-6394
Issue Tracking issue-tracking
x_refsource_redhat
https://bugzilla.redhat.com/show_bug.cgi?id=2252197
Scores
CVSS v3
7.4
EPSS
0.0054
EPSS Percentile
67.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-862
Status
published
Products (5)
io.quarkus/quarkus-smallrye-graphql-client
2.14.0 - 3.5.3Maven
quarkus/quarkus
< 3.6.0
Red Hat/Red Hat build of Quarkus 2.13.9.Final
2.13.9.Final-redhat-00002
Red Hat/Red Hat build of Quarkus 3.2.9.Final
3.2.9.Final-redhat-00002
redhat/build_of_quarkus
Published
Dec 09, 2023
Tracked Since
Feb 18, 2026