APIcast reuses connections when sending requests to upstream APIs, and it determines the target based on IP address. When multiple APIs are hosted on the same IP address, APIcast may reuse an incorrect connection. An attacker could use this to bypass security restrictions for an API request.
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-3523