CVE-2024-0560 in upstreaminfo

Summary

by MITRE • 02/28/2024

A vulnerability was found in 3Scale, when used with Keycloak 15 (or RHSSO 7.5.0) and superiors. When the auth_type is use_3scale_oidc_issuer_endpoint, the Token Introspection policy discovers the Token Introspection endpoint from the token_introspection_endpoint field, but the field was removed on RH-SSO 7.5. As a result, the policy doesn't inspect tokens, it determines that all tokens are valid.

Be aware that VulDB is the high quality source for vulnerability data.

Analysis

by VulDB Data Team • 01/21/2025

The vulnerability identified as CVE-2024-0560 represents a critical authentication bypass flaw in the 3Scale API management platform when integrated with Keycloak 15 or Red Hat Single Sign-On (RHSSO) 7.5.0 and later versions. This issue stems from a fundamental misconfiguration in the token validation process that occurs when the system employs the use_3scale_oidc_issuer_endpoint authentication type. The flaw manifests specifically within the Token Introspection policy mechanism that is responsible for validating the authenticity and validity of security tokens presented by users. The vulnerability is particularly concerning because it undermines the core security controls that protect API access and user authentication within enterprise environments.

The technical root cause of this vulnerability lies in the removal of the token_introspection_endpoint field from the OpenID Connect discovery document in RHSSO 7.5.0 and subsequent versions. This field removal was part of a broader architectural change in the identity management system that affected how service providers discover and interact with token introspection endpoints. When the 3Scale Token Introspection policy attempts to validate tokens, it relies on this specific field to locate the appropriate endpoint for token verification. Without this field being present in the discovery response, the policy fails to perform proper token validation and instead makes a flawed assumption that all tokens are valid, effectively disabling the security mechanism designed to authenticate and authorize API requests.

The operational impact of this vulnerability is severe and far-reaching within organizations that depend on 3Scale for API management and security. Attackers who can exploit this flaw can bypass authentication mechanisms entirely, gaining unauthorized access to protected APIs and services without proper credentials or token validation. This vulnerability particularly affects enterprise environments where 3Scale is integrated with Keycloak or RHSSO for centralized identity management, as it essentially renders the token validation process ineffective. The consequences extend beyond simple unauthorized access to include potential data breaches, privilege escalation, and unauthorized manipulation of API resources that organizations rely on for their digital services.

Organizations affected by this vulnerability should immediately implement mitigations that address the root cause of the issue. The primary remediation involves updating the 3Scale configuration to use alternative authentication mechanisms that do not rely on the deprecated token_introspection_endpoint field, or implementing custom policies that properly handle the endpoint discovery process. Security teams should also consider implementing additional monitoring and logging around token validation activities to detect potential exploitation attempts. The vulnerability aligns with CWE-284 Access Control Issues and represents a clear violation of the principle of least privilege in API security management. From an ATT&CK perspective, this vulnerability maps to T1078 Valid Accounts and T1566 Phishing, as it enables attackers to leverage valid tokens to gain unauthorized access to protected resources without proper authentication mechanisms. Organizations should also consider implementing network-level controls and API gateway security measures that can detect and prevent unauthorized access attempts even when the primary authentication mechanisms fail.

Responsible

Red Hat, Inc.

Reservation

01/15/2024

Disclosure

02/28/2024

Moderation

accepted

CPE

ready

EPSS

0.00486

KEV

no

Activities

very low

Sources

Do you need the next level of professionalism?

Upgrade your account now!