CVE-2021-27306: 
Kong vulnerability analysis and mitigation

An improper access control vulnerability was discovered in the JWT plugin of Kong Gateway versions prior to 2.3.2.0. The vulnerability, identified as CVE-2021-27306, allows unauthenticated users to access authenticated routes without providing a valid JWT token. This security flaw was disclosed on March 18, 2021, affecting Kong Gateway Enterprise installations that use the JWT plugin for authentication (NVD, CVE).

The vulnerability stems from Kong Gateway's handling of URI normalization before route matching. When a service has both authenticated and unauthenticated routes, an attacker could bypass authentication by using path traversal techniques (../). The issue occurs when Kong inherits rules from unauthenticated routes without properly normalizing the URI path before matching it against the router. The vulnerability has a CVSS v3.1 Base Score of 7.5 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N (Medium Blog).

The vulnerability allows unauthorized access to protected routes that should require JWT authentication. This could lead to exposure of sensitive information or functionality that was intended to be restricted. The impact is particularly severe when Kong Gateway is used in conjunction with services that normalize URI paths, such as reverse proxies or load balancers (Medium Blog).

The vulnerability was fixed in Kong Gateway version 2.3.2.0. The fix ensures that Kong always normalizes the incoming request's URI before matching it against the Router. Organizations using affected versions should upgrade to version 2.3.2.0 or later to address this security issue (Kong Changelog).