Lucene search

K
veracodeVeracode Vulnerability DatabaseVERACODE:44640
HistoryDec 12, 2023 - 11:53 a.m.

Authorization Bypass

2023-12-1211:53:27
Veracode Vulnerability Database
sca.analysiscenter.veracode.com
9
vulnerability
authorization bypass
quarkus-smallrye-graphql
security
graphql
api permissions

9.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

6.3 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

29.5%

quarkus-smallrye-graphql is vulnerable to Authorization Bypass. The vulnerability is due to doHandle function in SmallRyeGraphQLOverWebSocketHandler.java file there are no checks to ensure that the user is authenticated or authorized to access the GraphQL endpoint. This allows an attacker to access information and functionality outside of normal granted API permissions.

9.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

6.3 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

29.5%