CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2021-3814 – 3scale: missing validation of access token
https://notcve.org/view.php?id=CVE-2021-3814
It was found that 3scale's APIdocs does not validate the access token, in the case of invalid token, it uses session auth instead. This conceivably bypasses access controls and permits unauthorized information disclosure. Se ha detectado que la APIdocs de 3scale no comprueba el token de acceso, en el caso de un token inválido, usa en su lugar el auth de sesión. Esto podría omitir los controles de acceso y permitir una divulgación de información no autorizada A flaw was found in 3scale's API docs, where it does not validate the access token. In the case of an invalid token, it uses session auth instead. • https://bugzilla.redhat.com/show_bug.cgi?id=2004322 https://access.redhat.com/security/cve/CVE-2021-3814 • CWE-862: Missing Authorization •
CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 0CVE-2020-25634
https://notcve.org/view.php?id=CVE-2020-25634
A flaw was found in Red Hat 3scale’s API docs URL, where it is accessible without credentials. This flaw allows an attacker to view sensitive information or modify service APIs. Versions before 3scale-2.10.0-ER1 are affected. Se encontró un fallo en la URL de documentos de la API de Red Hat 3scale, donde puede acceder sin credenciales. Este fallo permite a un atacante visualizar información confidencial o modificar las API de servicio. • https://bugzilla.redhat.com/show_bug.cgi?id=1880201 • CWE-284: Improper Access Control CWE-306: Missing Authentication for Critical Function •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2019-14836 – 3scale: dev portal missing protection against login CSRF
https://notcve.org/view.php?id=CVE-2019-14836
A vulnerability was found that the 3scale dev portal does not employ mechanisms for protection against login CSRF. An attacker could use this flaw to access unauthorized information or conduct further attacks. Se ha encontrado una vulnerabilidad en el portal de desarrollo de 3scale que no emplea mecanismos de protección contra el CSRF de inicio de sesión. Un atacante podría utilizar este fallo para acceder a información no autorizada o realizar otros ataques It was found that the 3scale dev portal does not employ mechanisms for protection against login CSRF. An attacker could use this flaw to access unauthorized information or conduct further attacks. • https://bugzilla.redhat.com/show_bug.cgi?id=1847605 https://access.redhat.com/security/cve/CVE-2019-14836 https://bugzilla.redhat.com/show_bug.cgi?id=1750928 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2019-14849 – 3scale: user session cookie does not set HTTPOnly
https://notcve.org/view.php?id=CVE-2019-14849
A vulnerability was found in 3scale before version 2.6, did not set the HTTPOnly attribute on the user session cookie. An attacker could use this to conduct cross site scripting attacks and gain access to unauthorized information. Se encontró una vulnerabilidad en 3scale versión anterior a 2.6, no estableció el atributo HTTPOnly en la cookie de sesión del usuario. Un atacante podría usar esto para conducir ataques de tipo cross site scripting y conseguir acceso a información no autorizada. A flaw was found where 3scale did not set the HTTPOnly attribute on the user session cookie. • https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14849 https://access.redhat.com/security/cve/CVE-2019-14849 https://bugzilla.redhat.com/show_bug.cgi?id=1712167 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-201: Insertion of Sensitive Information Into Sent Data •