{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2024-0560", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "state": "PUBLISHED", "assignerShortName": "redhat", "dateReserved": "2024-01-15T13:16:09.681Z", "datePublished": "2024-02-28T16:37:01.247Z", "dateUpdated": "2025-11-20T18:09:12.702Z"}, "containers": {"cna": {"title": "Apicast: use_3scale_oidc_issuer_endpoint of token introspection policy isn't compatible with rh-sso 7.5 or later versions", "metrics": [{"other": {"content": {"value": "Moderate", "namespace": "https://access.redhat.com/security/updates/classification/"}, "type": "Red Hat severity rating"}}, {"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "format": "CVSS"}], "descriptions": [{"lang": "en", "value": "A vulnerability was found in 3Scale, when used with Keycloak 15 (or RHSSO 7.5.0) and superiors. When the auth_type is use_3scale_oidc_issuer_endpoint, the Token Introspection policy discovers the Token Introspection endpoint from the token_introspection_endpoint field, but the field was removed on RH-SSO 7.5. As a result, the policy doesn't inspect tokens, it determines that all tokens are valid."}], "affected": [{"versions": [{"status": "affected", "version": "0", "lessThan": "2.14.1", "versionType": "semver"}], "packageName": "APIcast", "collectionURL": "https://github.com/3scale/APIcast", "defaultStatus": "unaffected"}, {"vendor": "Red Hat", "product": "Red Hat 3scale API Management Platform 2", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "apicast", "defaultStatus": "affected", "cpes": ["cpe:/a:redhat:red_hat_3scale_amp:2"]}], "references": [{"url": "https://access.redhat.com/security/cve/CVE-2024-0560", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2258456", "name": "RHBZ#2258456", "tags": ["issue-tracking", "x_refsource_REDHAT"]}, {"url": "https://github.com/3scale/APIcast/pull/1438"}], "datePublic": "2024-02-28T00:00:00.000Z", "problemTypes": [{"descriptions": [{"cweId": "CWE-280", "description": "Improper Handling of Insufficient Permissions or Privileges", "lang": "en", "type": "CWE"}]}], "x_redhatCweChain": "CWE-280: Improper Handling of Insufficient Permissions or Privileges", "workarounds": [{"lang": "en", "value": "Use an alternate auth_type: auth_type: client_id+client_secret. Disabling the policy entirely might be a temporary solution if the alternate {{auth_type is not feasible for some reason. The only purpose the token introspection endpoint serves is for sessions that are revoked in RH SSO before the standard TTL expires via the exp claim."}], "timeline": [{"lang": "en", "time": "2024-01-15T00:00:00.000Z", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2024-02-28T00:00:00.000Z", "value": "Made public."}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2025-11-20T18:09:12.702Z"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T18:11:35.164Z"}, "title": "CVE Program Container", "references": [{"url": "https://access.redhat.com/security/cve/CVE-2024-0560", "tags": ["vdb-entry", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2258456", "name": "RHBZ#2258456", "tags": ["issue-tracking", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://github.com/3scale/APIcast/pull/1438", "tags": ["x_transferred"]}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-08-28T15:06:23.831738Z", "id": "CVE-2024-0560", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-28T15:06:38.118Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://access.redhat.com/security/cve/CVE-2024-0560", "tags": ["vdb-entry", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2258456", "name": "RHBZ#2258456", "tags": ["issue-tracking", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://github.com/3scale/APIcast/pull/1438", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T18:11:35.164Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-0560", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-08-28T15:06:23.831738Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-28T15:06:31.087Z"}}], "cna": {"title": "Apicast: use_3scale_oidc_issuer_endpoint of token introspection policy isn't compatible with rh-sso 7.5 or later versions", "metrics": [{"other": {"type": "Red Hat severity rating", "content": {"value": "Moderate", "namespace": "https://access.redhat.com/security/updates/classification/"}}}, {"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}], "affected": [{"versions": [{"status": "affected", "version": "0", "lessThan": "2.14.1", "versionType": "semver"}], "packageName": "APIcast", "collectionURL": "https://github.com/3scale/APIcast", "defaultStatus": "unaffected"}, {"cpes": ["cpe:/a:redhat:red_hat_3scale_amp:2"], "vendor": "Red Hat", "product": "Red Hat 3scale API Management Platform 2", "packageName": "apicast", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}], "timeline": [{"lang": "en", "time": "2024-01-15T00:00:00.000Z", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2024-02-28T00:00:00.000Z", "value": "Made public."}], "datePublic": "2024-02-28T00:00:00.000Z", "references": [{"url": "https://access.redhat.com/security/cve/CVE-2024-0560", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2258456", "name": "RHBZ#2258456", "tags": ["issue-tracking", "x_refsource_REDHAT"]}, {"url": "https://github.com/3scale/APIcast/pull/1438"}], "workarounds": [{"lang": "en", "value": "Use an alternate auth_type: auth_type: client_id+client_secret. Disabling the policy entirely might be a temporary solution if the alternate {{auth_type is not feasible for some reason. The only purpose the token introspection endpoint serves is for sessions that are revoked in RH SSO before the standard TTL expires via the exp claim."}], "descriptions": [{"lang": "en", "value": "A vulnerability was found in 3Scale, when used with Keycloak 15 (or RHSSO 7.5.0) and superiors. When the auth_type is use_3scale_oidc_issuer_endpoint, the Token Introspection policy discovers the Token Introspection endpoint from the token_introspection_endpoint field, but the field was removed on RH-SSO 7.5. As a result, the policy doesn't inspect tokens, it determines that all tokens are valid."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-280", "description": "Improper Handling of Insufficient Permissions or Privileges"}]}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2025-11-20T18:09:12.702Z"}, "x_redhatCweChain": "CWE-280: Improper Handling of Insufficient Permissions or Privileges"}}, "cveMetadata": {"cveId": "CVE-2024-0560", "state": "PUBLISHED", "dateUpdated": "2025-11-20T18:09:12.702Z", "dateReserved": "2024-01-15T13:16:09.681Z", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "datePublished": "2024-02-28T16:37:01.247Z", "assignerShortName": "redhat"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:redhat:3scale:-:*:*:*:*:*:*:*", "matchCriteriaId": "361BF9ED-8420-47B9-9AE7-06E53424A05C", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:a:redhat:keycloak:15.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "2EAA485C-AF47-41AC-BF9F-97F262B5BE4E", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was found in 3Scale, when used with Keycloak 15 (or RHSSO 7.5.0) and superiors. When the auth_type is use_3scale_oidc_issuer_endpoint, the Token Introspection policy discovers the Token Introspection endpoint from the token_introspection_endpoint field, but the field was removed on RH-SSO 7.5. As a result, the policy doesn't inspect tokens, it determines that all tokens are valid."}, {"lang": "es", "value": "Se encontr\u00f3 una vulnerabilidad en 3Scale, cuando se usa con Keycloak 15 (o RHSSO 7.5.0) y superiores. Cuando auth_type es use_3scale_oidc_issuer_endpoint, la pol\u00edtica de Token Introspection descubre el endpoint de Token Introspection desde el campo token_introspection_endpoint, pero el campo se elimin\u00f3 en RH-SSO 7.5. Como resultado, la pol\u00edtica no inspecciona los tokens, sino que determina que todos los tokens son v\u00e1lidos."}], "id": "CVE-2024-0560", "lastModified": "2025-01-21T18:31:10.947", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.4, "source": "secalert@redhat.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-02-28T17:15:08.340", "references": [{"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "https://access.redhat.com/security/cve/CVE-2024-0560"}, {"source": "secalert@redhat.com", "tags": ["Mitigation", "Vendor Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2258456"}, {"source": "secalert@redhat.com", "tags": ["Patch"], "url": "https://github.com/3scale/APIcast/pull/1438"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mitigation", "Vendor Advisory"], "url": "https://access.redhat.com/security/cve/CVE-2024-0560"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2258456"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://github.com/3scale/APIcast/pull/1438"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-280"}], "source": "secalert@redhat.com", "type": "Secondary"}]}

{"bugzilla": {"description": "apicast: use_3scale_oidc_issuer_endpoint of Token Introspection policy isn't compatible with RH-SSO 7.5 or later versions", "id": "2258456", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2258456"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.3", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "status": "draft"}, "cwe": "CWE-280", "details": ["A vulnerability was found in 3Scale, when used with Keycloak 15 (or RHSSO 7.5.0) and superiors. When the auth_type is use_3scale_oidc_issuer_endpoint, the Token Introspection policy discovers the Token Introspection endpoint from the token_introspection_endpoint field, but the field was removed on RH-SSO 7.5. As a result, the policy doesn't inspect tokens, it determines that all tokens are valid.", "A vulnerability was found in 3Scale, when used with Keycloak 15 (or RHSSO 7.5.0) and superiors. When the auth_type is use_3scale_oidc_issuer_endpoint, the Token Introspection policy discovers the Token Introspection endpoint from the token_introspection_endpoint field, but the field was removed on RH-SSO 7.5. As a result, the policy doesn't inspect tokens, it determines that all tokens are valid."], "mitigation": {"lang": "en:us", "value": "Use an alternate auth_type: auth_type: client_id+client_secret. Disabling the policy entirely might be a temporary solution if the alternate {{auth_type is not feasible for some reason. The only purpose the token introspection endpoint serves is for sessions that are revoked in RH SSO before the standard TTL expires via the exp claim."}, "name": "CVE-2024-0560", "package_state": [{"cpe": "cpe:/a:redhat:red_hat_3scale_amp:2", "fix_state": "Will not fix", "package_name": "apicast", "product_name": "Red Hat 3scale API Management Platform 2"}], "public_date": "2024-02-28T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-0560\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-0560\nhttps://github.com/3scale/APIcast/pull/1438"], "statement": "Red Hat considers this as a Moderate flaw, as 3Scale will allow revoked or expired tokens, however, it will not allow tokens belonging to an unauthorized client. A client cannot access the services to which it is not subscribed because the authrep request is still performed correctly and will reject the client_id extracted from the JWT. This requires the attacker to obtain a token and could jeopardize a small and uncontrolled amount of data.", "threat_severity": "Moderate"}

{}