CVE-2024-0560
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Summary
A vulnerability was found in 3Scale, when used with Keycloak 15 (or RHSSO 7.5.0) and superiors. When the auth_type is use_3scale_oidc_issuer_endpoint, the Token Introspection policy discovers the Token Introspection endpoint from the token_introspection_endpoint field, but the field was removed on RH-SSO 7.5. As a result, the policy doesn't inspect tokens, it determines that all tokens are valid.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
0 < 2.14.1 | affected |
Weaknesses
- CWE-280: Improper Handling of Insufficient Permissions or Privileges
Workarounds
Use an alternate auth_type: auth_type: client_id+client_secret. Disabling the policy entirely might be a temporary solution if the alternate {{auth_type is not feasible for some reason. The only purpose the token introspection endpoint serves is for sessions that are revoked in RH SSO before the standard TTL expires via the exp claim.
ADP Enrichment
CVE Program Container
Additional References
- https://access.redhat.com/security/cve/CVE-2024-0560
- https://bugzilla.redhat.com/show_bug.cgi?id=2258456
- https://github.com/3scale/APIcast/pull/1438
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
References
- https://access.redhat.com/security/cve/CVE-2024-0560
- https://bugzilla.redhat.com/show_bug.cgi?id=2258456
- https://github.com/3scale/APIcast/pull/1438
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.