CVE-2023-6394

Name of the Vulnerable Software and Affected Versions Quarkus (affected versions not specified)

Description The issue is related to the incorrect implementation of the sequence of actions in the Quarkus Java framework's WebSocket technology, resulting from insufficient access restriction when processing GraphQL requests. This can allow a remote attacker to gain unauthorized access to protected information and elevate their privileges. The problem occurs when a request is received over WebSocket with no role-based permission specified on the GraphQL operation, and Quarkus processes the request without authentication despite the endpoint being secured.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.