[CVE-2017-7512] reject empty client secret #392

mikz · 2017-07-14T10:13:24Z

3scale Service Management API would return 200 when app_key paramater
was empty for legacy purposes. That was not expected by the
gateway which was sending empty key for verification.

This was fixed on 3scale Service Management API and empty app_key
parameter will now return 409.

However, gateway should not rely jsut on 3scale Service Management,
so it performs own validation of the client secret during Access Token
generation.

3scale Service Management API would return 200 when app_key paramater was empty for legacy purposes. That was not expected by the gateway which was sending empty key for verification. This was fixed on 3scale Service Management API and empty app_key parameter will now return 409. However, gateway should not rely jsut on 3scale Service Management, so it performs own validation of the client secret during Access Token generation.

mikz added the B-current label Jul 14, 2017

mikz force-pushed the cve-2017-7512 branch from 6884847 to 5a905b1 Compare July 14, 2017 10:18

mikz merged commit 807eac9 into master Jul 14, 2017

mikz deleted the cve-2017-7512 branch July 14, 2017 10:23

mikz removed the B-current label Jul 14, 2017

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[CVE-2017-7512] reject empty client secret #392

[CVE-2017-7512] reject empty client secret #392

mikz commented Jul 14, 2017

[CVE-2017-7512] reject empty client secret #392

[CVE-2017-7512] reject empty client secret #392

Conversation

mikz commented Jul 14, 2017