CVE-2021-27306

An improper access control vulnerability in the JWT plugin in Kong Gateway prior to 2.3.2.0 allows unauthenticated users access to authenticated routes without a valid token JWT.

Published: Mar 18, 2021
Updated: Nov 8, 2023
CVE: CVE-2021-27306
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 7.5
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVSS v2:

Severity: Low
Score: 4.3
AV:N/AC:M/Au:N/C:P/I:N/A:N

CWEs:

CWE-706

Affected Software
References

Software	From	Fixed in
konghq / kong_gateway	-	2.3.2.0

https://docs.konghq.com/enterprise/changelog/#core-1
https://medium.com/@sew.campos/cve-2021-27306-access-an-authenticated-route-on-kong-api-gateway-6ae3d81968a3
https://medium.com/%40sew.campos/cve-2021-27306-access-an-authenticated-route-on-kong-api-gateway-6ae3d81968a3

Vulnerability Database

289,571

CVE-2021-27306