CVE-2024-0560 is a vulnerability discovered in the integration between 3Scale API Management and Keycloak 15 or Red Hat Single Sign-On (RH-SSO) version 7.5.0 and above. The vulnerability specifically affects the Token Introspection policy when the authentication type is set to use_3scale_oidc_issuer_endpoint. Normally, this policy validates tokens by querying the token_introspection_endpoint specified in the token's metadata. However, starting with RH-SSO 7.5, the token_introspection_endpoint field was removed from the tokens issued, causing the 3Scale Token Introspection policy to fail to locate the endpoint. As a result, the policy does not perform token validation and incorrectly assumes all tokens are valid. This leads to improper handling of permissions and privileges, effectively allowing unauthorized users to gain access to protected resources or APIs. The vulnerability has a CVSS v3.1 base score of 6.3, reflecting network exploitability with low complexity, requiring privileges but no user interaction, and impacting confidentiality, integrity, and availability to a limited extent. No public exploits have been reported, and no official patches have been published at the time of disclosure. The root cause is a breaking change in RH-SSO token structure that was not accounted for in 3Scale's Token Introspection policy implementation.

For European organizations, this vulnerability poses a significant risk to API security and access control mechanisms when using 3Scale with RH-SSO 7.5 or newer. Unauthorized users could bypass token validation, potentially gaining access to sensitive data or performing unauthorized actions on APIs protected by this mechanism. This can lead to data breaches, service disruption, and loss of trust. Organizations in sectors with strict regulatory requirements such as finance, healthcare, and government are particularly at risk due to the potential exposure of confidential information. The vulnerability affects the integrity and confidentiality of API transactions and could also impact availability if unauthorized actions disrupt services. Since the vulnerability requires privileges to exploit, attackers may need some level of initial access, but no user interaction is needed, increasing the risk of automated exploitation in internal or semi-trusted environments.

European organizations should immediately audit their 3Scale and RH-SSO integration configurations to determine if they are using the affected versions and the vulnerable authentication type (use_3scale_oidc_issuer_endpoint). Until an official patch is released, organizations should consider disabling the Token Introspection policy or switching to alternative token validation methods that do not rely on the removed token_introspection_endpoint field. Implementing additional layers of access control, such as strict API gateway rules, IP whitelisting, or mutual TLS, can help mitigate unauthorized access risks. Monitoring and logging token validation failures and unusual API access patterns can provide early detection of exploitation attempts. Organizations should also engage with Red Hat and 3Scale support channels to obtain updates on patches or workarounds. Finally, applying the principle of least privilege to all API tokens and limiting token scopes can reduce the potential impact of compromised tokens.