CVE-2021-3412

It was found that all versions of 3Scale developer portal lacked brute force protections. An attacker could use this gap to bypass login controls, and access privileged information, or possibly conduct further attacks.

CVSS v3 7.3 HIGH
CVSS v2.0 5.0 MEDIUM

7.3^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 3.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact LOW

Scope UNCHANGED

5.0^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:L/Au:N/C:P/I:N/A:N

Exploitability : 10.0 / Impact : 2.9

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References

Link	Resource
https://bugzilla.redhat.com/show_bug.cgi?id=1928301	Issue Tracking Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:redhat:3scale::::::::
	cpe:2.3:a:redhat:3scale_api_management:2.0:::::::*

History

No history.

Information

Published : 2021-06-01 14:15

Updated : 2024-02-28 18:28

NVD link : CVE-2021-3412

Mitre link : CVE-2021-3412

CVE.ORG link : CVE-2021-3412

JSON object : View

Products Affected

redhat

3scale_api_management
3scale

CWE

CWE-307

Improper Restriction of Excessive Authentication Attempts

{"id": "CVE-2021-3412", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 5.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.3, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 3.4, "exploitabilityScore": 3.9}]}, "published": "2021-06-01T14:15:10.267", "references": [{"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1928301", "tags": ["Issue Tracking", "Vendor Advisory"], "source": "secalert@redhat.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "secalert@redhat.com", "description": [{"lang": "en", "value": "CWE-307"}]}, {"type": "Secondary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-307"}]}], "descriptions": [{"lang": "en", "value": "It was found that all versions of 3Scale developer portal lacked brute force protections. An attacker could use this gap to bypass login controls, and access privileged information, or possibly conduct further attacks."}, {"lang": "es", "value": "Se detect\u00f3 que todas las versiones del portal de desarrollo de3Scale, carecen de protecciones contra la fuerza bruta. Un atacante podr\u00eda usar esta brecha para omitir los controles de inicio de sesi\u00f3n y acceder a informaci\u00f3n privilegiada, o posiblemente conducir m\u00e1s ataques"}], "lastModified": "2022-06-03T17:24:27.460", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:redhat:3scale:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C7DC1222-9CB1-4492-9D53-E302F5AAE880"}, {"criteria": "cpe:2.3:a:redhat:3scale_api_management:2.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C5434CC8-66E0-4378-AAB3-B2FECDDE61BB"}], "operator": "OR"}]}], "sourceIdentifier": "secalert@redhat.com"}