CVE-2023-6394

Published: Dec 9, 2023Modified: Mar 24, 2026

9.1

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Exploitability: 3.9 / Impact: 5.2

Source: NVD

Description

A flaw was found in Quarkus. This issue occurs when receiving a request over websocket with no role-based permission specified on the GraphQL operation, Quarkus processes the request without authentication despite the endpoint being secured. This can allow an attacker to access information and functionality outside of normal granted API permissions.

Affected (2)

Products: Quarkus: Quarkus · Redhat: Build Of Quarkus

1 product

1 product

Build Of Quarkus

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Quarkus Quarkus	Before 3.6.0

Configuration B

1 vulnerable

Vulnerable Software	Affected Versions
Redhat Build Of Quarkus	All versions

Related CWEs

Incorrect Behavior Order: Authorization Before Parsing and Canonicalization

If a web server does not fully parse requested URLs before it examines them for authorization, it may be possible for an attacker to bypass authorization protection.

Missing Authorization

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

References (7)

https://access.redhat.com/errata/RHSA-2023:7612

Source: secalert@redhat.com

https://access.redhat.com/errata/RHSA-2023:7700

Source: secalert@redhat.com

https://access.redhat.com/security/cve/CVE-2023-6394

Source: secalert@redhat.com

Vendor Advisory

https://bugzilla.redhat.com/show_bug.cgi?id=2252197

Source: secalert@redhat.com

Issue Tracking

https://access.redhat.com/errata/RHSA-2023:7612

Source: af854a3a-2127-422b-91ae-364da2661108

https://access.redhat.com/security/cve/CVE-2023-6394

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

https://bugzilla.redhat.com/show_bug.cgi?id=2252197

Source: af854a3a-2127-422b-91ae-364da2661108

Issue Tracking

Timeline

No history available yet.