CVE-2023-6394
moderate-risk
Published 2023-12-09
A flaw was found in Quarkus. This issue occurs when receiving a request over websocket with no role-based permission specified on the GraphQL operation, Quarkus processes the request without authentication despite the endpoint being secured. This can allow an attacker to access information and functionality outside of normal granted API permissions.
Do I need to act?
-
0.54% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
7
CVSS 7.4/10
High
NETWORK
/ HIGH complexity
Affected Products (2)
References (7)
Vendor Advisory
https://access.redhat.com/security/cve/CVE-2023-6394
Issue Tracking
https://bugzilla.redhat.com/show_bug.cgi?id=2252197
Vendor Advisory
https://access.redhat.com/security/cve/CVE-2023-6394
Issue Tracking
https://bugzilla.redhat.com/show_bug.cgi?id=2252197
31
/ 100
moderate-risk
Severity
22/34 · High
Exploitability
2/34 · Minimal
Exposure
7/34 · Low