Bug 1928302 (CVE-2021-20252) - CVE-2021-20252 3scale: missing date range handling on database query
Summary: CVE-2021-20252 3scale: missing date range handling on database query
Keywords:
Status: NEW
Alias: CVE-2021-20252
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 1919437 1930238
TreeView+ depends on / blocked
 
Reported: 2021-02-12 22:52 UTC by Chess Hazlett
Modified: 2021-02-23 17:13 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in 3scale. The 3scale backend does not perform preventive handling on user-requested date ranges in certain queries allowing a malicious authenticated user to submit a request with a sufficiently large date range to eventually yield an internal server error resulting in denial of service. The highest threat from this vulnerability is to system availability.
Clone Of:
Environment:
Last Closed:


Attachments (Terms of Use)

Description Chess Hazlett 2021-02-12 22:52:02 UTC
It was found that 3scale backend does not perform preventive handling on user-requested date ranges in certain queries. A malicious authenticated user could submit a request with a sufficiently large date range eventually yielding an internal server error, resulting in denial of service.


Note You need to log in before you can comment on or make changes to this bug.