A flaw was found in Gateway. Sending a non-base64 'basic' auth with special characters can cause APICast to incorrectly authenticate a request. A malformed basic authentication header containing special characters bypasses authentication and allows unauthorized access to the backend. This issue can occur due to a failure in the base64 decoding process, which causes APICast to skip the rest of the authentication checks and proceed with routing the request upstream.
Fixes

Solution

No solution given by the vendor.


Workaround

No workaround given by the vendor.

History

Wed, 18 Jun 2025 18:45:00 +0000

Type Values Removed Values Added
First Time appeared Redhat 3scale Api Management
CPEs cpe:2.3:a:redhat:3scale_api_management:2.0:*:*:*:*:*:*:*
Vendors & Products Redhat 3scale Api Management

Fri, 08 Nov 2024 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Tue, 05 Nov 2024 02:30:00 +0000

Type Values Removed Values Added
Metrics threat_severity

Moderate

threat_severity

Important


Mon, 04 Nov 2024 22:45:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N'}

cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}


Thu, 24 Oct 2024 19:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-863
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Thu, 24 Oct 2024 18:00:00 +0000

Type Values Removed Values Added
Description No description is available for this CVE. A flaw was found in Gateway. Sending a non-base64 'basic' auth with special characters can cause APICast to incorrectly authenticate a request. A malformed basic authentication header containing special characters bypasses authentication and allows unauthorized access to the backend. This issue can occur due to a failure in the base64 decoding process, which causes APICast to skip the rest of the authentication checks and proceed with routing the request upstream.
Title Gateway: APICast Basic Auth Bypass via Malformed Base64 HeadersSending non-base64 'basic' auth with special characters causes APICast to incorrectly authenticate a request Gateway: apicast basic auth bypass via malformed base64 headerssending non-base64 'basic' auth with special characters causes apicast to incorrectly authenticate a request
First Time appeared Redhat
Redhat red Hat 3scale Amp
CPEs cpe:/a:redhat:red_hat_3scale_amp:2
Vendors & Products Redhat
Redhat red Hat 3scale Amp
References

Thu, 24 Oct 2024 02:30:00 +0000

Type Values Removed Values Added
Title Gateway: APICast Basic Auth Bypass via Malformed Base64 Headers Gateway: APICast Basic Auth Bypass via Malformed Base64 HeadersSending non-base64 'basic' auth with special characters causes APICast to incorrectly authenticate a request

Wed, 23 Oct 2024 13:30:00 +0000

Type Values Removed Values Added
Description No description is available for this CVE.
Title Gateway: APICast Basic Auth Bypass via Malformed Base64 Headers
References
Metrics threat_severity

None

cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N'}

threat_severity

Moderate


cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2025-08-27T12:20:18.325Z

Reserved: 2024-10-23T10:27:35.174Z

Link: CVE-2024-10295

cve-icon Vulnrichment

Updated: 2024-10-24T18:21:53.937Z

cve-icon NVD

Status : Analyzed

Published: 2024-10-24T18:15:05.597

Modified: 2025-06-18T18:23:58.620

Link: CVE-2024-10295

cve-icon Redhat

Severity : Important

Publid Date: 2024-10-23T00:00:00Z

Links: CVE-2024-10295 - Bugzilla

cve-icon OpenCVE Enrichment

No data.