CVE-2024-0560

Apicast: use_3scale_oidc_issuer_endpoint of token introspection policy isn't compatible with rh-sso 7.5 or later versions

Description

A vulnerability was found in 3Scale, when used with Keycloak 15 (or RHSSO 7.5.0) and superiors. When the auth_type is use_3scale_oidc_issuer_endpoint, the Token Introspection policy discovers the Token Introspection endpoint from the token_introspection_endpoint field, but the field was removed on RH-SSO 7.5. As a result, the policy doesn't inspect tokens, it determines that all tokens are valid.

Remediation

Workaround:

  • Use an alternate auth_type: auth_type: client_id+client_secret. Disabling the policy entirely might be a temporary solution if the alternate {{auth_type is not feasible for some reason. The only purpose the token introspection endpoint serves is for sessions that are revoked in RH SSO before the standard TTL expires via the exp claim.

Category

6.3
CVSS
Severity: Medium
CVSS 3.1 •
EPSS 0.09%
Vendor Advisory redhat.com Vendor Advisory redhat.com
Affected: Red Hat Red Hat 3scale API Management Platform 2
Published at:
Updated at:

References

Link Tags
https://access.redhat.com/security/cve/CVE-2024-0560 mitigation vdb entry vendor advisory
https://bugzilla.redhat.com/show_bug.cgi?id=2258456 mitigation vendor advisory issue tracking
https://github.com/3scale/APIcast/pull/1438 patch

Frequently Asked Questions

What is the severity of CVE-2024-0560?
CVE-2024-0560 has been scored as a medium severity vulnerability.
How to fix CVE-2024-0560?
As a workaround for remediating CVE-2024-0560: Use an alternate auth_type: auth_type: client_id+client_secret. Disabling the policy entirely might be a temporary solution if the alternate {{auth_type is not feasible for some reason. The only purpose the token introspection endpoint serves is for sessions that are revoked in RH SSO before the standard TTL expires via the exp claim.
Is CVE-2024-0560 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2024-0560 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2024-0560?
CVE-2024-0560 affects Red Hat Red Hat 3scale API Management Platform 2.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.