CVE-2024-0560 is a vulnerability discovered in the integration between 3Scale API Management and Keycloak 15 or Red Hat Single Sign-On (RH-SSO) version 7.5.0 and later. The vulnerability stems from a change in RH-SSO 7.5.0 where the token_introspection_endpoint field was removed. When 3Scale is configured with the authentication type use_3scale_oidc_issuer_endpoint, its Token Introspection policy relies on this field to locate the token introspection endpoint. Because the field no longer exists, the policy fails to perform token validation and instead assumes all tokens are valid. This results in improper handling of insufficient permissions or privileges, effectively bypassing token validation. Attackers can exploit this flaw to gain unauthorized access to protected resources by presenting invalid or expired tokens that are erroneously accepted. The vulnerability requires network access and privileges to interact with the authentication system but does not require user interaction. The CVSS v3.1 base score is 6.3, indicating a medium severity with low attack complexity but requiring privileges. No public exploits have been reported yet, but the flaw poses a significant risk to organizations relying on this authentication mechanism for API security. The root cause is a mismatch between 3Scale's token introspection policy expectations and the updated RH-SSO implementation, highlighting the importance of compatibility testing after upstream changes. This vulnerability impacts confidentiality, integrity, and availability by allowing unauthorized access and potential privilege escalation.

The impact of CVE-2024-0560 is substantial for organizations using 3Scale API Management integrated with RH-SSO 7.5.0 or newer. By bypassing token validation, attackers can gain unauthorized access to APIs and backend services protected by this authentication mechanism. This can lead to data leakage, unauthorized data modification, and disruption of services. The vulnerability undermines the trustworthiness of token-based authentication, potentially allowing attackers to impersonate legitimate users or escalate privileges. Enterprises relying on these technologies for securing sensitive data and critical infrastructure face increased risk of breaches and compliance violations. The flaw affects confidentiality by exposing protected data, integrity by allowing unauthorized changes, and availability by potentially enabling denial of service through unauthorized actions. Although exploitation requires some level of privilege to interact with the system, the ease of bypassing token validation increases the attack surface. The absence of user interaction requirements facilitates automated exploitation in targeted environments. Organizations in sectors such as finance, government, telecommunications, and cloud services that use these products are particularly vulnerable to operational and reputational damage.

To mitigate CVE-2024-0560, organizations should first verify if their 3Scale and RH-SSO deployments are affected by checking the versions and authentication configurations. Immediate mitigation includes disabling the use_3scale_oidc_issuer_endpoint authentication type or reverting to a supported token introspection method until a patch is available. Applying any vendor-released patches or updates that address this incompatibility is critical once they are published. Additionally, organizations should implement compensating controls such as network segmentation to restrict access to the authentication endpoints, enforce strict monitoring and logging of token validation failures, and conduct regular audits of API access logs for anomalous activity. Employing multi-factor authentication (MFA) and limiting token lifetimes can reduce the window of opportunity for exploitation. Security teams should also validate tokens through alternative means or custom policies that do not rely solely on the removed field. Coordinating with Red Hat and 3Scale support channels for guidance and updates is recommended. Finally, organizations should conduct thorough testing of authentication flows after upgrades to detect similar issues proactively.