Bug 2252197 (CVE-2023-6394)
Summary: | CVE-2023-6394 quarkus: GraphQL operations over WebSockets bypass | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Chess Hazlett <chazlett> |
Component: | vulnerability | Assignee: | Product Security <prodsec-ir-bot> |
Status: | NEW --- | QA Contact: | |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | unspecified | CC: | anstephe, avibelli, bgeorges, chazlett, clement.escoffier, dandread, dkreling, gsmet, jmartisk, lthon, max.andersen, mosmerov, olubyans, peholase, pgallagh, pjindal, probinso, rruss, rsvoboda, sbiarozk, sdouglas, security-response-team, tqvarnst |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | quarkus 3.6.0 | Doc Type: | If docs needed, set a value |
Doc Text: |
A flaw was found in Quarkus. This issue occurs when receiving a request over websocket with no role-based permission specified on the GraphQL operation, Quarkus processes the request without authentication despite the endpoint being secured. This can allow an attacker to access information and functionality outside of normal granted API permissions.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | Type: | --- | |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 2250889 |
Description
Chess Hazlett
2023-11-30 04:07:09 UTC
|