3 matches found
com.github.t1:wunderbar.demo.product (>=2.4.8 <=2.4.9), io.quarkiverse.githubaction:quarkus-github-action (>=0.9.1 <=0.9.2) +19 more potentially affected by CVE-2023-6394 via io.quarkus:quarkus-smallrye-graphql-client (>=2.0.0.Alpha3 <=2.13.8.Final)
io.quarkus:quarkus-smallrye-graphql-client MAVEN version =2.0.0.Alpha3, =2.4.8, =0.9.1, =0.9.1, =0.9.1, =1.9.0, =1.9.0, =1.9.0, =1.9.0, =1.9.0, =1.9.0, =1.9.0, =1.9.0, =1.9.0, =2.0.0, =2.0.0.Alpha3, =2.13.8.Final and more Source cves: CVE-2023-6394...
CVE-2023-6394
CVE-2023-6394 describes an authorization bypass in Quarkus where a websocket GraphQL operation can be processed without authentication if no role-based permission is specified. This allows potential access to information and functionality beyond the granted API permissions. The NVD entry lists a ...
CVE-2023-6394
A flaw was found in Quarkus. This issue occurs when receiving a request over websocket with no role-based permission specified on the GraphQL operation, Quarkus processes the request without authentication despite the endpoint being secured. This can allow an attacker to access information and...