CVE-2021-27306

Опубликовано: 18 мар. 2021

Источник: nvd

CVSS3: 7.5

CVSS2: 4.3

EPSS Низкий

Описание

An improper access control vulnerability in the JWT plugin in Kong Gateway prior to 2.3.2.0 allows unauthenticated users access to authenticated routes without a valid token JWT.

Ссылки

https://docs.konghq.com/enterprise/changelog/#core-1
Vendor Advisory
https://medium.com/%40sew.campos/cve-2021-27306-access-an-authenticated-route-on-kong-api-gateway-6ae3d81968a3
https://docs.konghq.com/enterprise/changelog/#core-1
Vendor Advisory
https://medium.com/%40sew.campos/cve-2021-27306-access-an-authenticated-route-on-kong-api-gateway-6ae3d81968a3

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:konghq:kong_gateway:*:*:*:*:enterprise:*:*:*

Версия до 2.3.2.0 (исключая)

EPSS

Процентиль: 81%

0.01471

Низкий

7.5 High

CVSS3

4.3 Medium

CVSS2

Дефекты

CWE-706

Связанные уязвимости

GHSA-vh85-5xw7-5gvq