CVE-2023-6394

Quarkus: graphql operations over websockets bypass

Severity Score

9.1

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track*

*SSVC

Descriptions

A flaw was found in Quarkus. This issue occurs when receiving a request over websocket with no role-based permission specified on the GraphQL operation, Quarkus processes the request without authentication despite the endpoint being secured. This can allow an attacker to access information and functionality outside of normal granted API permissions.

Se encontró un defecto en Quarkus. Este problema ocurre cuando se recibe una solicitud a través de websocket sin ningún permiso basado en roles especificado en la operación GraphQL, Quarkus procesa la solicitud sin autenticación a pesar de que el endpoint está protegido. Esto puede permitir que un atacante acceda a información y funcionalidad fuera de los permisos API normales otorgados.

A new release of the Red Hat build of Quarkus is now available. This new release comes packed with a host of enhancements, bug fixes, and security fixes. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System base score, which gives a detailed severity rating, is available for each vulnerability. For more information, see the CVE links in the References section. Issues addressed include a denial of service vulnerability.

*Credits: N/A

CVSS Scores

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

None

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

None

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

Complete

Integrity

Complete

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:Track*

Exploitation

None

Automatable

Tech. Impact

Total

* Organization's Worst-case Scenario

Timeline

2023-11-30 CVE Reserved
2023-12-09 CVE Published
2024-11-23 CVE Updated
2025-03-30 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-862: Missing Authorization

CAPEC

References (4)

URL	Tag	Source

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
https://access.redhat.com/errata/RHSA-2023:7612	2023-12-20
https://access.redhat.com/security/cve/CVE-2023-6394	2023-12-07
https://bugzilla.redhat.com/show_bug.cgi?id=2252197	2023-12-07
https://access.redhat.com/errata/RHSA-2023:7700	2024-11-23

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Quarkus Search vendor "Quarkus"		Quarkus Search vendor "Quarkus" for product "Quarkus"				< 3.6.0 Search vendor "Quarkus" for product "Quarkus" and version " < 3.6.0"		-		Affected
Redhat Search vendor "Redhat"		Build Of Quarkus Search vendor "Redhat" for product "Build Of Quarkus"				-		-		Affected