1928302 – (CVE-2021-20252) CVE-2021-20252 3scale: missing date range handling on database query

Bug 1928302 (CVE-2021-20252) - CVE-2021-20252 3scale: missing date range handling on database query

Summary: CVE-2021-20252 3scale: missing date range handling on database query

Keywords:
Status:	NEW
Alias:	CVE-2021-20252
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Nobody
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1919437 1930238
TreeView+	depends on / blocked

Reported:	2021-02-12 22:52 UTC by Chess Hazlett
Modified:	2023-07-07 08:28 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:	A flaw was found in 3scale. The 3scale backend does not perform preventive handling on user-requested date ranges in certain queries allowing a malicious authenticated user to submit a request with a sufficiently large date range to eventually yield an internal server error resulting in denial of service. The highest threat from this vulnerability is to system availability.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description Chess Hazlett 2021-02-12 22:52:02 UTC

It was found that 3scale backend does not perform preventive handling on user-requested date ranges in certain queries. A malicious authenticated user could submit a request with a sufficiently large date range eventually yielding an internal server error, resulting in denial of service.

Note You need to log in before you can comment on or make changes to this bug.