CVE-2024-0560

Name of the Vulnerable Software and Affected Versions 3Scale versions used with Keycloak 15 (or RHSSO 7.5.0)

Description The issue is related to incorrect handling of insufficient permissions or privileges in the 3Scale API Management software. When the auth type is set to use 3scale oidc issuer endpoint, the Token Introspection policy fails to inspect tokens due to the removal of the token introspection endpoint field in RH-SSO 7.5. As a result, the policy determines that all tokens are valid. This could allow a remote attacker to execute arbitrary code.

Recommendations For 3Scale versions used with Keycloak 15 (or RHSSO 7.5.0), consider disabling the use 3scale oidc issuer endpoint auth type until a patch is available to prevent the Token Introspection policy from incorrectly validating tokens. At the moment, there is no information about a newer version that contains a fix for this vulnerability.