A flaw was found in Quarkus. This issue occurs when receiving a request over websocket with no role-based permission specified on the GraphQL operation, Quarkus processes the request without authentication despite the endpoint being secured. This can allow an attacker to access information and functionality outside of normal granted API permissions.
References
Link | Resource |
---|---|
https://access.redhat.com/errata/RHSA-2023:7612 | |
https://access.redhat.com/security/cve/CVE-2023-6394 | Vendor Advisory |
https://bugzilla.redhat.com/show_bug.cgi?id=2252197 | Issue Tracking |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: redhat
Published: 2023-12-09T01:26:52.908Z
Updated: 2024-05-01T20:21:37.537Z
Reserved: 2023-11-30T04:05:52.129Z
Link: CVE-2023-6394
JSON object: View
NVD Information
Status : Modified
Published: 2023-12-09T02:15:06.747
Modified: 2023-12-20T21:15:08.340
Link: CVE-2023-6394
JSON object: View
Redhat Information
No data.
CWE