Apicast proxies the api call with incorrect jwt token to the api backend without proper authorization check
CVE-2023-0456

7.4HIGH

Key Information:

Vendor: Red Hat
Status: Apicast; Red Hat 3scale Api Management Platform 2
Vendor: CVE Published:; 27 September 2023

Summary

A flaw in the APICast OIDC module fails to properly handle responses from mismatched tokens originating from different realms. This oversight can potentially allow attackers to gain unauthorized access to sensitive information, as it might open doors to realms that should remain secure. Timely patching and updates are essential to safeguard against such vulnerabilities.

Affected Version(s)

apicast 2.13.2

apicast 2.14.0

apicast 2.12.2

References

https://access.redhat.com/security/cve/CVE-2023-0456

vdb-entryx_refsource_REDHAT

https://bugzilla.redhat.com/show_bug.cgi?id=2163586

issue-trackingx_refsource_REDHAT

CVSS V3.1

Score:

7.4

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Sep 27, 2023
Vulnerability Reserved
Jan 24, 2023

Collectors

NVD DatabaseMitre Database