cbcvebase.
CVE-2023-6394
published 2023-12-09

CVE-2023-6394: A flaw was found in Quarkus. This issue occurs when receiving a request over websocket with no role-based permission specified on the GraphQL operation…

PriorityP260critical9.1CVSS 3.1
AVNACLPRNUINSUCHIHAN
EPSS
0.81%
52.4th percentile
A flaw was found in Quarkus. This issue occurs when receiving a request over websocket with no role-based permission specified on the GraphQL operation, Quarkus processes the request without authentication despite the endpoint being secured. This can allow an attacker to access information and functionality outside of normal granted API permissions.

Affected

1 ranges
VendorProductVersion rangeFixed in
quarkusquarkus< 3.6.03.6.0

Detection & IOCsextracted from sources · hover to see the quote

  • GraphQL operations sent over WebSocket connections to Quarkus endpoints bypass authentication when no role-based permission is specified on the GraphQL operation — monitor for unauthenticated WebSocket-based GraphQL requests to secured endpoints
  • ·GraphQL operations on Quarkus endpoints are only protected if role-based permissions are explicitly specified on each operation; absence of per-operation role annotations causes authentication to be skipped entirely over WebSocket transport

CVSS provenance

nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
vendor_redhat7.4HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.