Lucene search

K
cve[email protected]CVE-2023-6394
HistoryDec 09, 2023 - 2:15 a.m.

CVE-2023-6394

2023-12-0902:15:06
CWE-862
web.nvd.nist.gov
63
cve-2023-6394
quarkus
websocket
authentication bypass
api permissions

9.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

8.9 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

29.6%

A flaw was found in Quarkus. This issue occurs when receiving a request over websocket with no role-based permission specified on the GraphQL operation, Quarkus processes the request without authentication despite the endpoint being secured. This can allow an attacker to access information and functionality outside of normal granted API permissions.

Affected configurations

NVD
Node
quarkusquarkusRange<3.6.0
Node
redhatbuild_of_quarkusMatch-
CPENameOperatorVersion
quarkus:quarkusquarkuslt3.6.0

CNA Affected

[
  {
    "vendor": "Red Hat",
    "product": "Red Hat build of Quarkus 3.2.9.Final",
    "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html",
    "packageName": "io.quarkus/quarkus-smallrye-graphql",
    "defaultStatus": "affected",
    "versions": [
      {
        "version": "3.2.9.Final-redhat-00002",
        "lessThan": "*",
        "versionType": "rpm",
        "status": "unaffected"
      }
    ],
    "cpes": [
      "cpe:/a:redhat:quarkus:3.2::el8"
    ]
  },
  {
    "vendor": "Red Hat",
    "product": "Red Hat build of Quarkus",
    "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
    "packageName": "com.graphql-java/graphql-java",
    "defaultStatus": "affected",
    "cpes": [
      "cpe:/a:redhat:quarkus:2"
    ]
  }
]

9.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

8.9 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

29.6%