CVE-2020-14388

CWE-284 — Improper Access Control5 documents5 sources

Severity

6.3MEDIUM

EPSS

0.2%

top 60.32%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Redhat 3scale API Management

Timeline

PublishedJun 2

Latest updateMay 24

Description

A flaw was found in the Red Hat 3scale API Management Platform, where member permissions for an API's admin portal were not properly enforced. This flaw allows an authenticated user to bypass normal account restrictions and access API services where they do not have permission.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:LExploitability: 2.8 | Impact: 3.4

Affected Packages2 packages

▶NVDredhat/3scale_api_management2.0

▶CVEListV5red_hat_3scale_api_managementRed Hat 3scale API Management 2.10.0

🔴Vulnerability Details

GHSA

GHSA-rf23-4mjm-jm7q: A flaw was found in the Red Hat 3scale API Management Platform, where member permissions for an API's admin portal were not properly enforced↗2022-05-24

▶

CVEList

CVE-2020-14388: A flaw was found in the Red Hat 3scale API Management Platform, where member permissions for an API's admin portal were not properly enforced↗2021-06-02

▶

📋Vendor Advisories

Red Hat

3scale-system: member role permissions bypass when editing services↗2020-08-26

▶

💬Community

Bugzilla

CVE-2020-14388 3scale-system: member role permissions bypass when editing services↗2020-09-03

▶