2321258 – (CVE-2024-10295) CVE-2024-10295 Gateway: APICast Basic Auth Bypass via Malformed Base64 HeadersSending non-base64 'basic' auth with special characters causes APICast to incorrectly authenticate a request

Bug 2321258 (CVE-2024-10295) - CVE-2024-10295 Gateway: APICast Basic Auth Bypass via Malformed Base64 HeadersSending non-base64 'basic' auth with special characters causes APICast to incorrectly authenticate a request

Summary: CVE-2024-10295 Gateway: APICast Basic Auth Bypass via Malformed Base64 Header...

Keywords:
Status:	NEW
Alias:	CVE-2024-10295
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2024-10-23 10:27 UTC by OSIDB Bzimport
Modified:	2025-05-15 08:28 UTC (History)
CC List:	199 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2024-10-23 10:27:26 UTC

When a request contains an invalid base64-encoded header (e.g., Authorization: Basic 1234?), APICast does not properly handle the decoding failure. Instead, it skips the remaining authentication steps and processes the request, allowing unauthorized access to the backend service. This can lead to potential security risks as unverified requests are processed by the backend.

Note You need to log in before you can comment on or make changes to this bug.

aazores
akostadi
alcohan
amasferr
amctagga
anjoseph
ansmith
anstephe
aoconnor
aprice
asoldano
avibelli
bbaranow
bdettelb
bgeorges
bmaxwell
bniver
boliveir
brian.stansberry
brking
caswilli
cbartlet
ccranfor
cdaley
cdewolf
chazlett
chfoley
clement.escoffier
cmah
cmiranda
dandread
danken
darran.lofthouse
davidn
dhanak
dkreling
dmayorov
doconnor
dosoudil
drichtar
dsimansk
dymurray
eaguilar
ebaron
eglynn
ehelms
fdeutsch
fjuma
flucifre
fmariani
fmongiar
ggainey
gkamathe
gmalinko
gmeno
gparvin
gsmet
gtanzill
haoli
hkataria
ibolton
istudens
ivassile
iweiss
janstey
jcammara
jcantril
jchui
jjoyce
jkoehler
jkoops
jlledo
jmartisk
jmatthew
jmitchel
jmontleo
jneedle
jnethert
jolong
jpechane
jpoth
jprabhak
jsamir
jschluet
jscholz
juwatts
jwendell
kaycoth
kegrant
kholdawa
kingland
koliveir
kshier
ktsao
kverlaen
lchilton
lgao
lhh
lsvaty
lthon
mabashia
manderse
matzew
mbenjamin
mburns
mgarciac
mhackett
mhulan
mjaros
mkudlej
mmakovy
mnovotny
mosmerov
mpierce
mrajanna
mrunge
msochure
msvehla
muagarwa
mwringe
nboldt
njean
nmoumoul
nwallace
olubyans
oramraz
owatkins
pahickey
parichar
pbraun
pcongius
pcreech
pdelbell
pdrozd
peholase
pgaikwad
pgallagh
pgrist
phoracek
pierdipi
pjindal
pmackay
probinso
pskopek
rcernich
rchan
rguimara
rhaigner
rhos-maint
rhuss
rjohnson
rmartinc
rowaters
rruss
rstancel
rstepani
rsvoboda
rtaniwa
sakbas
saroy
sausingh
sbiarozk
sdawley
sdouglas
sfeifer
sfroberg
shvarugh
simaishi
slucidi
smaestri
smallamp
smcdonal
smullick
sostapov
sseago
stcannon
sthirugn
sthorger
stirabos
swoodman
tasato
tcunning
teagle
tfister
thason
thavo
tjochec
tkral
tom.jenkinson
tqvarnst
twalsh
vereddy
vimartin
vkrizan
whayutin
wtam
yfang
yguenane
ypadia