CVE-2024-10295

CWE-863 — Incorrect Authorization4 documents4 sources

Severity

7.5HIGH

EPSS

0.1%

top 75.94%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Redhat 3scale API Management

Timeline

PublishedOct 24

Description

A flaw was found in Gateway. Sending a non-base64 'basic' auth with special characters can cause APICast to incorrectly authenticate a request. A malformed basic authentication header containing special characters bypasses authentication and allows unauthorized access to the backend. This issue can occur due to a failure in the base64 decoding process, which causes APICast to skip the rest of the authentication checks and proceed with routing the request upstream.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages1 packages

▶NVDredhat/3scale_api_management2.0

🔴Vulnerability Details

CVEList

Gateway: apicast basic auth bypass via malformed base64 headerssending non-base64 'basic' auth with special characters causes apicast to incorrectly authenticate a request↗2024-10-24

▶

GHSA

GHSA-qh7g-57ww-6fq4: A flaw was found in Gateway↗2024-10-24

▶

📋Vendor Advisories

Red Hat

Gateway: APICast Basic Auth Bypass via Malformed Base64 HeadersSending non-base64 'basic' auth with special characters causes APICast to incorrectly authenticate a request↗2024-10-23

▶