CVE-2023-6394: 
Java vulnerability analysis and mitigation

A security vulnerability (CVE-2023-6394) was discovered in Quarkus, affecting the GraphQL operations over WebSocket functionality. The vulnerability was disclosed on December 8, 2023, and impacts Quarkus systems where GraphQL endpoints are secured but lack specific role-based permissions. This vulnerability allows unauthorized access to secured GraphQL endpoints when requests are made over WebSocket connections (Red Hat CVE).

The vulnerability occurs when receiving a request over WebSocket with no role-based permission specified on the GraphQL operation. In such cases, Quarkus processes the request without authentication despite the endpoint being secured. The vulnerability has been assigned a CVSS v3.1 base score of 7.4 (High) with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N. The issue is specifically related to CWE-696 and CWE-862, indicating incorrect behavior for authorization mechanisms (Red Hat CVE).

The vulnerability allows attackers to bypass authentication mechanisms and access information and functionality outside of normal granted API permissions. The impact is particularly severe when GraphQL operations don't have specific role-based permissions defined. While operations with role-based permissions may fail with a NullPointerException, endpoints requiring only authentication without specific role checks remain vulnerable (Bugzilla).

The vulnerability has been fixed in Quarkus version 3.6.0. Red Hat has also released security updates for affected versions, including Red Hat build of Quarkus 2.13.9.Final and 3.2.9.Final. Users are advised to upgrade to these patched versions to address the vulnerability (Red Hat CVE).