A vulnerability was found in 3Scale, when used with Keycloak 15 (or RHSSO 7.5.0) and superiors. When the auth_type is use_3scale_oidc_issuer_endpoint, the Token Introspection policy discovers the Token Introspection endpoint from the token_introspection_endpoint field, but the field was removed on RH-SSO 7.5. As a result, the policy doesn't inspect tokens, it determines that all tokens are valid.
Fixes

Solution

No solution given by the vendor.


Workaround

Use an alternate auth_type: auth_type: client_id+client_secret. Disabling the policy entirely might be a temporary solution if the alternate {{auth_type is not feasible for some reason. The only purpose the token introspection endpoint serves is for sessions that are revoked in RH SSO before the standard TTL expires via the exp claim.

History

Fri, 07 Feb 2025 03:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Tue, 21 Jan 2025 19:00:00 +0000

Type Values Removed Values Added
First Time appeared Redhat 3scale
Redhat keycloak
CPEs cpe:2.3:a:redhat:3scale:-:*:*:*:*:*:*:*
cpe:2.3:a:redhat:keycloak:15.0.0:*:*:*:*:*:*:*
Vendors & Products Redhat 3scale
Redhat keycloak

cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2025-08-30T08:20:03.535Z

Reserved: 2024-01-15T13:16:09.681Z

Link: CVE-2024-0560

cve-icon Vulnrichment

Updated: 2024-08-01T18:11:35.164Z

cve-icon NVD

Status : Analyzed

Published: 2024-02-28T17:15:08.340

Modified: 2025-01-21T18:31:10.947

Link: CVE-2024-0560

cve-icon Redhat

Severity : Moderate

Publid Date: 2024-02-28T00:00:00Z

Links: CVE-2024-0560 - Bugzilla

cve-icon OpenCVE Enrichment

No data.