U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

Search Results (Refine Search)

Search Parameters:
  • Results Type: Overview
  • Keyword (text search): 3scale
  • Search Type: Search All
  • CPE Name Search: false
There are 14 matching records.
Displaying matches 1 through 14.
Vuln ID Summary CVSS Severity
CVE-2024-0560

A vulnerability was found in 3Scale, when used with Keycloak 15 (or RHSSO 7.5.0) and superiors. When the auth_type is use_3scale_oidc_issuer_endpoint, the Token Introspection policy discovers the Token Introspection endpoint from the token_introspection_endpoint field, but the field was removed on RH-SSO 7.5. As a result, the policy doesn't inspect tokens, it determines that all tokens are valid.

Published: February 28, 2024; 12:15:08 PM -0500
V3.x:(not available)
V2.0:(not available)
CVE-2023-4910

A flaw was found In 3Scale Admin Portal. If a user logs out from the personal tokens page and then presses the back button in the browser, the tokens page is rendered from the browser cache.

Published: November 06, 2023; 8:15:10 AM -0500
V3.1: 5.5 MEDIUM
V2.0:(not available)
CVE-2023-0456

A flaw was found in APICast, when 3Scale's OIDC module does not properly evaluate the response to a mismatched token from a separate realm. This could allow a separate realm to be accessible to an attacker, permitting access to unauthorized information.

Published: September 27, 2023; 11:16:03 AM -0400
V3.1: 7.5 HIGH
V2.0:(not available)
CVE-2022-1414

3scale API Management 2 does not perform adequate sanitation for user input in multiple fields. An authenticated user could use this flaw to inject scripts and possibly gain access to sensitive information or conduct further attacks.

Published: October 19, 2022; 2:15:11 PM -0400
V3.1: 8.8 HIGH
V2.0:(not available)
CVE-2021-3523

A flaw was found in 3Scale APICast in versions prior to 2.11.0, where it incorrectly identified connections for reuse. This flaw allows an attacker to bypass security restrictions for an API request when hosting multiple APIs on the same IP address.

Published: April 27, 2022; 5:15:08 PM -0400
V3.1: 7.5 HIGH
V2.0: 4.3 MEDIUM
CVE-2021-3814

It was found that 3scale's APIdocs does not validate the access token, in the case of invalid token, it uses session auth instead. This conceivably bypasses access controls and permits unauthorized information disclosure.

Published: March 25, 2022; 3:15:09 PM -0400
V3.1: 7.5 HIGH
V2.0: 5.0 MEDIUM
CVE-2020-14388

A flaw was found in the Red Hat 3scale API Management Platform, where member permissions for an API's admin portal were not properly enforced. This flaw allows an authenticated user to bypass normal account restrictions and access API services where they do not have permission.

Published: June 02, 2021; 9:15:10 AM -0400
V3.1: 6.3 MEDIUM
V2.0: 6.5 MEDIUM
CVE-2021-3412

It was found that all versions of 3Scale developer portal lacked brute force protections. An attacker could use this gap to bypass login controls, and access privileged information, or possibly conduct further attacks.

Published: June 01, 2021; 10:15:10 AM -0400
V3.1: 7.3 HIGH
V2.0: 5.0 MEDIUM
CVE-2020-25634

A flaw was found in Red Hat 3scale’s API docs URL, where it is accessible without credentials. This flaw allows an attacker to view sensitive information or modify service APIs. Versions before 3scale-2.10.0-ER1 are affected.

Published: May 26, 2021; 5:15:08 PM -0400
V3.1: 5.4 MEDIUM
V2.0: 5.5 MEDIUM
CVE-2019-14836

A vulnerability was found that the 3scale dev portal does not employ mechanisms for protection against login CSRF. An attacker could use this flaw to access unauthorized information or conduct further attacks.

Published: May 26, 2021; 8:15:10 AM -0400
V3.1: 8.8 HIGH
V2.0: 6.8 MEDIUM
CVE-2019-14852

A flaw was found in 3scale’s APIcast gateway that enabled the TLS 1.0 protocol. An attacker could target traffic using this weaker protocol and break its encryption, gaining access to unauthorized information. Version shipped in Red Hat 3scale API Management Platform is vulnerable to this issue.

Published: March 18, 2021; 4:15:12 PM -0400
V3.1: 7.5 HIGH
V2.0: 5.0 MEDIUM
CVE-2021-20252

A flaw was found in Red Hat 3scale API Management Platform 2. The 3scale backend does not perform preventive handling on user-requested date ranges in certain queries allowing a malicious authenticated user to submit a request with a sufficiently large date range to eventually yield an internal server error resulting in denial of service. The highest threat from this vulnerability is to system availability.

Published: February 23, 2021; 6:15:13 PM -0500
V3.1: 6.5 MEDIUM
V2.0: 6.8 MEDIUM
CVE-2019-14849

A vulnerability was found in 3scale before version 2.6, did not set the HTTPOnly attribute on the user session cookie. An attacker could use this to conduct cross site scripting attacks and gain access to unauthorized information.

Published: December 12, 2019; 9:15:15 AM -0500
V3.1: 5.4 MEDIUM
V2.0: 3.5 LOW
CVE-2017-7512

Red Hat 3scale (aka RH-3scale) API Management Platform (AMP) before 2.0.0 would permit creation of an access token without a client secret. An attacker could use this flaw to circumvent authentication controls and gain access to restricted APIs. NOTE: some sources have a typo in which CVE-2017-7512 maps to an OpenVPN vulnerability. The proper CVE ID for that OpenVPN vulnerability is CVE-2017-7521. Specifically, CVE-2017-7521 is the correct CVE ID for TWO closely related findings in OpenVPN. Any source that lists BOTH CVE-2017-7512 and CVE-2017-7521 for OpenVPN should have listed ONLY CVE-2017-7521.

Published: July 07, 2017; 6:29:00 PM -0400
V3.0: 9.8 CRITICAL
V2.0: 7.5 HIGH