3Scale Api Management
CVE-2024-10295
HIGH
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Primary rating from Vendor (redhat) · only source for this CVE.
CVSS VectorVendor: redhat
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
1DescriptionCVE.org
A flaw was found in Gateway. Sending a non-base64 'basic' auth with special characters can cause APICast to incorrectly authenticate a request. A malformed basic authentication header containing special characters bypasses authentication and allows unauthorized access to the backend. This issue can occur due to a failure in the base64 decoding process, which causes APICast to skip the rest of the authentication checks and proceed with routing the request upstream.
AnalysisAI
A flaw was found in Gateway. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Technical ContextAI
This vulnerability is classified as Incorrect Authorization (CWE-863), which allows attackers to bypass authorization checks to access restricted resources. A flaw was found in Gateway. Sending a non-base64 'basic' auth with special characters can cause APICast to incorrectly authenticate a request. A malformed basic authentication header containing special characters bypasses authentication and allows unauthorized access to the backend. This issue can occur due to a failure in the base64 decoding process, which causes APICast to skip the rest of the authentication checks and proceed with routing the request upstream. Affected products include: Redhat 3Scale Api Management.
RemediationAI
No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Review and test authorization logic, implement consistent access control checks, use centralized authorization framework.
More in 3Scale Api Management
View all3scale API Management 2 does not perform adequate sanitation for user input in multiple fields. Rated high severity (CVS
A random memory access flaw was found in the Linux kernel's GPU i915 kernel driver functionality in the way a user may r
In ghostscript before version 9.50, the .buildfont1 procedure did not properly secure its privileged calls, enabling scr
It was found that all versions of 3Scale developer portal lacked brute force protections. Rated high severity (CVSS 7.3)
A flaw was found in Red Hat 3scale API Management Platform 2. Rated medium severity (CVSS 6.5), this vulnerability is re
A flaw was found In 3Scale Admin Portal. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity.
Same weakness CWE-863 – Incorrect Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today