CVE-2020-25634

CWE-284 — Improper Access Control CWE-306 — Missing Authentication5 documents5 sources

Severity

5.4MEDIUM

EPSS

0.1%

top 70.84%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Redhat 3scale Redhat 3scale API Management

Timeline

PublishedMay 26

Latest updateMay 24

Description

A flaw was found in Red Hat 3scale’s API docs URL, where it is accessible without credentials. This flaw allows an attacker to view sensitive information or modify service APIs. Versions before 3scale-2.10.0-ER1 are affected.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.5

Affected Packages3 packages

▶NVDredhat/3scale< 2.10.0+1

▶CVEListV53scale-systembefore 3scale-2.10.0-ER1

▶NVDredhat/3scale_api_management2.0

🔴Vulnerability Details

GHSA

GHSA-3f3r-g48r-83hh: A flaw was found in Red Hat 3scale’s API docs URL, where it is accessible without credentials↗2022-05-24

▶

CVEList

CVE-2020-25634: A flaw was found in Red Hat 3scale’s API docs URL, where it is accessible without credentials↗2021-05-26

▶

📋Vendor Advisories

Red Hat

3scale-system: API docs accessible without permissions↗2020-08-26

▶

💬Community

Bugzilla

CVE-2020-25634 3scale-system: API docs accessible without permissions↗2020-09-17

▶