CVE-2023-0456: Apicast proxies the api call with incorrect jwt token to the api backend without proper authorization check
First published: Tue Jan 24 2023(Updated: )
<a href="https://issues.redhat.com/browse/THREESCALE-9009">https://issues.redhat.com/browse/THREESCALE-9009</a> Steps to reproduce Deploy 3scale + APIcast 2.12 Configure a single Product A with an OpenID Provider + realm A Generate a token on the OpenID Provider but a different realm with a client not subscribed to Product A Set the backend with a Public Path != "/" (setting a value here is important to enable the routing policy) Send a request to the gateway using Host & path that will match Product A The above conditions will trigger the 404 Not Found returned to APIcast by backend and also the proxy pass to the upstream which results in the upstream response being sent back to the client. Observations The oidc module is not catching an exception when the JWK cannot be found due to the fact the JWT contains a mismatching kid. The failure to catch this exception then results in a further failure within the proxy module which should be able to evaluate the object returned by the oidc module and fail the authorisation logic but instead it continues to the authrep but without the required parameters which results in an incomplete request sent to backend and thus the 404 Not Found. Furthermore if the routing policy is enabled then it seems that as the proxy module has evaluated- incorrectly - that the JWT is already cached then it is able to send the request to the upstream. This doesn't happen without the routing policy because for some unknown reason as of yet the upstream is logged as being invalid otherwise it would also result in the proxy pass happening.
Credit: secalert@redhat.com secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Redhat Apicast | <2.12.2 | |
| Redhat Apicast | >=2.13.0<2.13.2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- collector/nvd-api
- collector/nvd-index
- agent/author
- agent/type
- agent/first-publish-date
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/title
- agent/last-modified-date
- agent/severity
- agent/references
- agent/weakness
- agent/description
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2023-0456
- agent/software-canonical-lookup
- agent/tags
- agent/event
- vendor/redhat
- canonical/redhat apicast
- version/redhat apicast/2.13.0
- package-manager/redhat