Vulnerabilities > CVE-2023-6394 - Missing Authorization vulnerability in multiple products

047910
CVSS 9.1 - CRITICAL
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
HIGH
Integrity impact
HIGH
Availability impact
NONE
network
low complexity
quarkus
redhat
CWE-862
critical

Summary

A flaw was found in Quarkus. This issue occurs when receiving a request over websocket with no role-based permission specified on the GraphQL operation, Quarkus processes the request without authentication despite the endpoint being secured. This can allow an attacker to access information and functionality outside of normal granted API permissions.

Vulnerable Configurations

Part Description Count
Application
Quarkus
287
Application
Redhat
1

Common Weakness Enumeration (CWE)