Bug 2004322 (CVE-2021-3814)
| Summary: | CVE-2021-3814 3scale: missing validation of access token | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Chess Hazlett <chazlett> |
| Component: | vulnerability | Assignee: | Nobody <nobody> |
| Status: | NEW --- | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | amackenz, amasferr, chazlett, mkudlej, tjochec |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | 3scale 2.11 | Doc Type: | If docs needed, set a value |
| Doc Text: |
A flaw was found in 3scale's API docs, where it does not validate the access token. In the case of an invalid token, it uses session auth instead. This issue possibly bypasses access controls and permits unauthorized information disclosure.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | --- | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 2004324, 2005421 | ||
|
Description
Chess Hazlett
2021-09-15 02:08:29 UTC
|