{
  "threat_severity" : "Moderate",
  "public_date" : "2021-09-22T00:00:00Z",
  "bugzilla" : {
    "description" : "3scale: missing validation of access token",
    "id" : "2004322",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2004322"
  },
  "cvss3" : {
    "cvss3_base_score" : "6.3",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
    "status" : "verified"
  },
  "cwe" : "CWE-862",
  "details" : [ "It was found that 3scale's APIdocs does not validate the access token, in the case of invalid token, it uses session auth instead. This conceivably bypasses access controls and permits unauthorized information disclosure.", "A flaw was found in 3scale's API docs, where it does not validate the access token. In the case of an invalid token, it uses session auth instead. This issue possibly bypasses access controls and permits unauthorized information disclosure." ],
  "affected_release" : [ {
    "product_name" : "3scale API Management 2.11 on RHEL 7",
    "release_date" : "2021-10-14T00:00:00Z",
    "advisory" : "RHSA-2021:3851",
    "cpe" : "cpe:/a:redhat:3scale_amp:2.11::el7",
    "package" : "3scale-amp2/3scale-rhel7-operator:1.14.0-4"
  }, {
    "product_name" : "3scale API Management 2.11 on RHEL 7",
    "release_date" : "2021-10-14T00:00:00Z",
    "advisory" : "RHSA-2021:3851",
    "cpe" : "cpe:/a:redhat:3scale_amp:2.11::el7",
    "package" : "3scale-amp2/3scale-rhel7-operator-metadata:2.11.0-16"
  }, {
    "product_name" : "3scale API Management 2.11 on RHEL 7",
    "release_date" : "2021-10-14T00:00:00Z",
    "advisory" : "RHSA-2021:3851",
    "cpe" : "cpe:/a:redhat:3scale_amp:2.11::el7",
    "package" : "3scale-amp2/apicast-rhel7-operator:1.14.0-3"
  }, {
    "product_name" : "3scale API Management 2.11 on RHEL 7",
    "release_date" : "2021-10-14T00:00:00Z",
    "advisory" : "RHSA-2021:3851",
    "cpe" : "cpe:/a:redhat:3scale_amp:2.11::el7",
    "package" : "3scale-amp2/apicast-rhel7-operator-metadata:2.11.0-9"
  }, {
    "product_name" : "3scale API Management 2.11 on RHEL 7",
    "release_date" : "2021-10-14T00:00:00Z",
    "advisory" : "RHSA-2021:3851",
    "cpe" : "cpe:/a:redhat:3scale_amp:2.11::el7",
    "package" : "3scale-amp2/memcached-rhel7:1.4.16-38"
  }, {
    "product_name" : "3scale API Management 2.11 on RHEL 7",
    "release_date" : "2021-10-14T00:00:00Z",
    "advisory" : "RHSA-2021:3851",
    "cpe" : "cpe:/a:redhat:3scale_amp:2.11::el7",
    "package" : "3scale-amp2/system-rhel7:1.15.0-8"
  }, {
    "product_name" : "3scale API Management 2.11 on RHEL 8",
    "release_date" : "2021-10-14T00:00:00Z",
    "advisory" : "RHSA-2021:3851",
    "cpe" : "cpe:/a:redhat:3scale_amp:2.11::el8",
    "package" : "3scale-amp2/apicast-gateway-rhel8:1.20.0-6"
  }, {
    "product_name" : "3scale API Management 2.11 on RHEL 8",
    "release_date" : "2021-10-14T00:00:00Z",
    "advisory" : "RHSA-2021:3851",
    "cpe" : "cpe:/a:redhat:3scale_amp:2.11::el8",
    "package" : "3scale-amp2/backend-rhel8:1.14.0-3"
  }, {
    "product_name" : "3scale API Management 2.11 on RHEL 8",
    "release_date" : "2021-10-14T00:00:00Z",
    "advisory" : "RHSA-2021:3851",
    "cpe" : "cpe:/a:redhat:3scale_amp:2.11::el8",
    "package" : "3scale-amp2/toolbox-rhel8:1.6.0-7"
  }, {
    "product_name" : "3scale API Management 2.11 on RHEL 8",
    "release_date" : "2021-10-14T00:00:00Z",
    "advisory" : "RHSA-2021:3851",
    "cpe" : "cpe:/a:redhat:3scale_amp:2.11::el8",
    "package" : "3scale-amp2/zync-rhel8:1.14.0-3"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2021-3814\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-3814" ],
  "name" : "CVE-2021-3814",
  "csaw" : false
}