Lucene search

[email protected]CVE-2021-27306

HistoryMar 18, 2021 - 3:15 p.m.

CVE-2021-27306

2021-03-1815:15:16

CWE-706

[email protected]

web.nvd.nist.gov

cve-2021-27306

access control

vulnerability

jwt plugin

kong gateway

unauthenticated users

authenticated routes

nvd

4.3 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:N/A:N

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

7.4 High

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

55.2%

JSON

An improper access control vulnerability in the JWT plugin in Kong Gateway prior to 2.3.2.0 allows unauthenticated users access to authenticated routes without a valid token JWT.

Affected configurations

NVD

Node

konghqkong_gatewayRange<2.3.2.0enterprise

CPENameOperatorVersion
konghq:kong_gatewaykonghq kong gatewaylt2.3.2.0

CPE	Name	Operator	Version
konghq:kong_gateway	konghq kong gateway	lt	2.3.2.0

References

docs.konghq.com/enterprise/changelog/#core-1

medium.com/%40sew.campos/cve-2021-27306-access-an-authenticated-route-on-kong-api-gateway-6ae3d81968a3

Social References

4.3 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:N/A:N

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

7.4 High

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

55.2%

JSON

Related for CVE-2021-27306

cvelist1 nvd1 prion1