Improper Access Control Vulnerability in Kong Gateway JWT Plugin
CVE-2021-27306

7.5HIGH

Key Information:

Vendor

Konghq

Vendor
CVE Published:
18 March 2021

What is CVE-2021-27306?

The JWT plugin in Kong Gateway prior to version 2.3.2.0 is susceptible to an improper access control vulnerability. This flaw permits unauthenticated users to gain access to authenticated routes without the necessity of a valid JWT token. Such unauthorized access can lead to exposure of sensitive data and resources, posing significant security risks. Users are encouraged to update their Kong Gateway to the latest version to mitigate this vulnerability and enhance their overall security posture.

References

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.