CVE-2021-3814

CWE-862 ā€” Missing Authorization4 documents4 sources
Severity
7.5HIGH
EPSS
0.3%
top 50.31%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Redhat 3scale
Timeline
PublishedMar 25
Latest updateMar 26

Description

It was found that 3scale's APIdocs does not validate the access token, in the case of invalid token, it uses session auth instead. This conceivably bypasses access controls and permits unauthorized information disclosure.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages2 packages

ā–¶NVDredhat/3scale< 2.11.0
ā–¶CVEListV53scale3scale 2.11

šŸ”“Vulnerability Details

2
GHSA
GHSA-46fh-44xx-6xgh: It was found that 3scale's APIdocs does not validate the access token, in the case of invalid token, it uses session auth insteadā†—2022-03-26
ā–¶
CVEList
CVE-2021-3814: It was found that 3scale's APIdocs does not validate the access token, in the case of invalid token, it uses session auth insteadā†—2022-03-25
ā–¶

šŸ“‹Vendor Advisories

1
Red Hat
3scale: missing validation of access tokenā†—2021-09-22
ā–¶
CVE-2021-3814 (HIGH CVSS 7.5) | It was found that 3scale's APIdocs | cvebase.io