Описание
A vulnerability was found in 3Scale, when used with Keycloak 15 (or RHSSO 7.5.0) and superiors. When the auth_type is use_3scale_oidc_issuer_endpoint, the Token Introspection policy discovers the Token Introspection endpoint from the token_introspection_endpoint field, but the field was removed on RH-SSO 7.5. As a result, the policy doesn't inspect tokens, it determines that all tokens are valid.
Ссылки
- MitigationVendor Advisory
- MitigationVendor Advisory
- Patch
- MitigationVendor Advisory
- MitigationVendor Advisory
- Patch
Уязвимые конфигурации
Одновременно
EPSS
6.3 Medium
CVSS3
4.3 Medium
CVSS3
Дефекты
Связанные уязвимости
A vulnerability was found in 3Scale, when used with Keycloak 15 (or RHSSO 7.5.0) and superiors. When the auth_type is use_3scale_oidc_issuer_endpoint, the Token Introspection policy discovers the Token Introspection endpoint from the token_introspection_endpoint field, but the field was removed on RH-SSO 7.5. As a result, the policy doesn't inspect tokens, it determines that all tokens are valid.
A vulnerability was found in 3Scale, when used with Keycloak 15 (or RHSSO 7.5.0) and superiors. When the auth_type is use_3scale_oidc_issuer_endpoint, the Token Introspection policy discovers the Token Introspection endpoint from the token_introspection_endpoint field, but the field was removed on RH-SSO 7.5. As a result, the policy doesn't inspect tokens, it determines that all tokens are valid.
Уязвимость программного средства управления API-интерфейсами Red Hat 3scale API Management, связанная с некорректной обработкой недостаточных разрешений или привилегий, позволяющая нарушителю выполнить произвольный код
EPSS
6.3 Medium
CVSS3
4.3 Medium
CVSS3