Login Sign Up

CVE-2023-0456

7.4 HIGH
Authentication Bypass

📋 TL;DR

This vulnerability in APICast's 3Scale OIDC module allows attackers to access unauthorized information from separate realms when token mismatches aren't properly evaluated. It affects systems using APICast with 3Scale OIDC integration. The flaw could expose sensitive data across different authentication realms.

💻 Affected Systems

Products:
  • Red Hat 3scale API Management
  • APICast
Versions: APICast versions prior to 2.11.0
Operating Systems: Linux
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects configurations using 3Scale OIDC module with multiple realms

📦 What is this software?

Apicast by Redhat

View all CVEs affecting Apicast →

Apicast by Redhat

View all CVEs affecting Apicast →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers gain unauthorized access to sensitive data across multiple realms, potentially exposing confidential information, user credentials, or internal system data.

🟠

Likely Case

Unauthorized access to information in separate realms, potentially exposing API data, user information, or configuration details that should be isolated.

🟢

If Mitigated

Limited or no impact with proper authentication controls, network segmentation, and monitoring in place.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Requires understanding of OIDC token validation and access to separate realms

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: APICast 2.11.0 and later

Vendor Advisory: https://access.redhat.com/security/cve/CVE-2023-0456

Restart Required: Yes

Instructions:

1. Update APICast to version 2.11.0 or later. 2. Apply the update through your deployment method (container, RPM, etc.). 3. Restart APICast services. 4. Verify the update was successful.

🔧 Temporary Workarounds

Disable OIDC module

linux

Temporarily disable the 3Scale OIDC module if not required

Modify APICast configuration to remove OIDC module references

Network isolation

all

Isolate realms at network level to prevent cross-realm access

Configure firewall rules to restrict communication between realms

🧯 If You Can't Patch

  • Implement strict network segmentation between different realms
  • Enhance monitoring and alerting for unauthorized cross-realm access attempts

🔍 How to Verify

Check if Vulnerable:

Check APICast version and verify if using 3Scale OIDC module with version below 2.11.0

Check Version:

apicast --version

Verify Fix Applied:

Confirm APICast version is 2.11.0 or later and test OIDC token validation across realms

📡 Detection & Monitoring

Log Indicators:

  • Unauthorized access attempts between realms
  • OIDC token validation failures
  • Cross-realm API calls

Network Indicators:

  • Unexpected traffic between separate authentication realms
  • OIDC token requests from unexpected sources

SIEM Query:

source="apicast" AND ("OIDC" OR "realm") AND ("unauthorized" OR "validation_failed")

📊 Metadata

CVE ID: CVE-2023-0456
CVSS v3 Score: 7.4 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
CWE: CWE-285
Published: September 27, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-0456, you might also want to check these:

CVE-2025-65041 10.0

CVE-2025-65041 is an improper authorization vulnerability in Microsoft Partner Center that allows un...

Same vulnerability type (CWE-285)
CVE-2021-37705 10.0

CVE-2021-37705 is an authorization bypass vulnerability in OneFuzz that allows authenticated users f...

Same vulnerability type (CWE-285)
CVE-2023-33189 10.0

CVE-2023-33189 is an authorization bypass vulnerability in Pomerium identity-aware access proxy. Att...

Same vulnerability type (CWE-285)