Veracode Vulnerability DatabaseVERACODE:44640Authorization Bypass
9.1 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
6.3 Medium
AI Score
Confidence
High
0.001 Low
EPSS
Percentile
29.5%
quarkus-smallrye-graphql is vulnerable to Authorization Bypass. The vulnerability is due to doHandle function in SmallRyeGraphQLOverWebSocketHandler.java file there are no checks to ensure that the user is authenticated or authorized to access the GraphQL endpoint. This allows an attacker to access information and functionality outside of normal granted API permissions.
References
access.redhat.com/errata/RHSA-2023:7612
access.redhat.com/security/cve/CVE-2023-6394
bugzilla.redhat.com/show_bug.cgi?id=2252197
github.com/advisories/GHSA-mvc8-6ffp-jrx5
github.com/quarkusio/quarkus/commit/25ee3bec78c859806ee4733fa486f630cfb38a87
github.com/quarkusio/quarkus/pull/36961
github.com/quarkusio/quarkus/pull/37136
Related
9.1 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
6.3 Medium
AI Score
Confidence
High
0.001 Low
EPSS
Percentile
29.5%