Vulnerability Details : CVE-2021-27306
An improper access control vulnerability in the JWT plugin in Kong Gateway prior to 2.3.2.0 allows unauthenticated users access to authenticated routes without a valid token JWT.
Products affected by CVE-2021-27306
- cpe:2.3:a:konghq:kong_gateway:*:*:*:*:enterprise:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2021-27306
0.18%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 55 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2021-27306
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
4.3
|
MEDIUM | AV:N/AC:M/Au:N/C:P/I:N/A:N |
8.6
|
2.9
|
NIST | |
7.5
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
3.9
|
3.6
|
NIST |
CWE ids for CVE-2021-27306
-
The product uses a name or reference to access a resource, but the name/reference resolves to a resource that is outside of the intended control sphere.Assigned by: nvd@nist.gov (Primary)
References for CVE-2021-27306
-
https://medium.com/@sew.campos/cve-2021-27306-access-an-authenticated-route-on-kong-api-gateway-6ae3d81968a3
CVE-2021–27306: Access an authenticated route on Kong API Gateway | by sewan | Mar, 2021 | MediumExploit;Patch;Third Party Advisory
-
https://docs.konghq.com/enterprise/changelog/#core-1
Kong Gateway (Enterprise) Changelog - vchangelog.md | Kong - Open-Source API Management and Microservice ManagementVendor Advisory
Jump to