Lucene search

Redhat.comRH:CVE-2024-0560

HistoryFeb 28, 2024 - 4:36 p.m.

CVE-2024-0560

2024-02-2816:36:40

redhat.com

access.redhat.com

3scale

keycloak 15

rhsso 7.5.0

token introspection policy

vulnerability

auth_type

token introspection endpoint

mitigation

client_id+client_secret

CVSS3

6.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

AI Score

7.2

Confidence

Low

EPSS

Percentile

15.5%

JSON

A vulnerability was found in 3Scale, when used with Keycloak 15 (or RHSSO 7.5.0) and superiors. When the auth_type is use_3scale_oidc_issuer_endpoint, the Token Introspection policy discovers the Token Introspection endpoint from the token_introspection_endpoint field, but the field was removed on RH-SSO 7.5. As a result, the policy doesn’t inspect tokens, it determines that all tokens are valid.

Mitigation

Use an alternate auth_type: auth_type: client_id+client_secret. Disabling the policy entirely might be a temporary solution if the alternate {{auth_type is not feasible for some reason. The only purpose the token introspection endpoint serves is for sessions that are revoked in RH SSO before the standard TTL expires via the exp claim.

References

bugzilla.redhat.com/show_bug.cgi?id=2258456

github.com/3scale/APIcast/pull/1438

nvd.nist.gov/vuln/detail/CVE-2024-0560

www.cve.org/CVERecord?id=CVE-2024-0560