Quarkus: graphql operations over websockets bypass
CVE-2023-6394

7.4HIGH

Key Information:

Vendor
Red Hat
Status
Red Hat Build Of Quarkus 2.13.9.final
Red Hat Build Of Quarkus 3.2.9.final
Vendor
CVE Published:
9 December 2023

Summary

A flaw exists in Quarkus that allows unauthorized access via websocket requests. When specific role-based permissions are not defined for GraphQL operations, Quarkus processes incoming requests without proper authentication, compromising the security of endpoints intended to be protected. This flaw potentially enables attackers to exploit existing permissions to access sensitive information and functionalities that should otherwise remain restricted.

Affected Version(s)

Red Hat build of Quarkus 2.13.9.Final 2.13.9.Final-redhat-00002

Red Hat build of Quarkus 3.2.9.Final 3.2.9.Final-redhat-00002

References

https://access.redhat.com/errata/RHSA-2023:7612
vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2023:7700
vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/security/cve/CVE-2023-6394
vdb-entryx_refsource_REDHAT

CVSS V3.1

Score:
7.4
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Collectors

NVD DatabaseMitre Database
.